Original Publication Date: 06/19/2017
This release note documents the version 13.0.0 release of F5 SSL Orchestrator with F5 SSL Intercept iAppLX version 2.2.
This version of F5 SSL Orchestrator is supported on the following platforms:
The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:
For more information about purchasing other module licenses, contact your F5 Sales representative.
The F5 SSL Orchestrator iAppLX template acts as the configuration utility for SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:
This is the F5 SSL Orchestrator 13.0.0 with iAppLX version 2.2 template release.
For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.0.0 Documentation page.
F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:
|634030||Previously, the Layer 3 inline server received traffic with a SNAT client IP address. Now, the Layer 3 inline server sees the original client IP address unless it cannot handle the IP protocol (for example, the traffic is IPv6, but the inline server can only handle IPv4 traffic).
Prior to 2.2, SSL Orchestrator would use a SNAT pool of addresses when sending traffic through a Layer 3 inline device. This simplified routing, but hid the source address from those devices. Beginning in version 2.2, SSL Orchestrator will only SNAT traffic if there is an IP protocol version mismatch between the client traffic and the inline service devices. All other traffic will be forwarded without changing the address, allowing inline services to see the actual source address and use that in their decisions.
The impact of this change: Any layer 3 inline service devices will need to be configured with a static route for all internal networks pointing to a next hop of the inward BIG-IP address. This address can be determined by looking at the addresses in the server selection box and should use the “.1” IP address of the subnet range that includes the selected server (for example, if the selected server is 198.19.0.61 (/25 is assumed), the next hop configured on the device should be 198.19.0.1).
If the Layer 3 address range has been changed, it would be a similar address within the new range.
Before upgrading to version 2.2, any Layer 3 inline devices should be checked and updated as needed to make sure they will correctly route traffic back to the SSL Orchestrator.
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.