Manual Chapter : Setting Up a Basic Configuration

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 13.0.0
Manual Chapter

Overview: Setting up a basic configuration

This section contains general information that the system needs before you can configure services and service chains. The F5® Herculon™ SSL Orchestrator™ configuration utility will assist you with configuring logging settings, setting up ingress and egress devices as one system or separate systems, and configuring the system for transparent proxy and explicit proxy.

Configuring general properties

You must provide general information that the system needs so that you can then set up ingress and egress devices, create services and service chains, and create classifier rules using the Herculon SSL Orchestrator configuration utility.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. For the Application Service Name field, ssloApp is the default name for this configuration.
  3. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select one of the options:
    • If the same BIG-IP system receives both ingress and egress traffic on different networks, use No, use one BIG-IP device for ingress and egress.
    • If you are configuring separate devices for ingress and egress traffic, use Yes, configure separate ingress and egress BIG-IP devices.
  4. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  5. From the Which proxy schemes do you want to implement? list, select whether the system operates in transparent proxy mode, explicit proxy mode, or both.
    • Use Implement transparent proxy only for the system to operate in transparent proxy mode. The transparent proxy scheme can intercept all types of TLS and TCP traffic. It also processes UDP traffic and forwards all other types of traffic. The transparent proxy requires no client configuration modifications.
    • Use Implement both transparent and explicit proxies for the system to operate in explicit and transparent proxy modes simultaneously.
    • Use Implement explicit proxy only for the system to operate in explicit proxy mode. The explicit proxy scheme supports only HTTP(S) per RFC2616. If you choose to configure an explicit proxy, assign a specific IP address and TCP port where the HTTP explicit-proxy clients connect.
  6. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list, select one of the options:
    • Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
    • Use No, manage UDP traffic by classification to configure specific service chain classifier rules for UDP traffic.
    This option is available only if you select Implement transparent proxy only.
  7. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list, select one of the options:
    • Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose this option, this traffic will not be classified or processed by any service chain.
    • Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on.) for the system to block all non-TCP and non-UDP traffic.
    This option is available only if you select Implement transparent proxy only.
  8. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority (CA) certificate that your clients will trust to authenticate intercepted TLS connections.
  9. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private key.
    You import the CA certificate and private key while configuring the Setup Wizard. If you did not use the Setup Wizard, you must import a CA certificate before you can use this functionality.
  10. In the What is the private-key passphrase (if any)? field, type the private-key passphrase.
    If the key does not have a passphrase, leave the field empty.
  11. From the Which CA bundle is used to validate remote server certificates? list, select the CA bundle that validates the remote server certificates.
    The CA bundle is the collection of root and intermediate certificates for the CA you trust to authenticate servers where your clients might connect. The CA bundle is also known as the local trust store.
  12. From the Should connections to servers with expired certificates be allowed? list, select one of the two options to determine what happens with connections to servers with expired certificates:
    • Use Yes, allow connections to servers with expired certificates to allow connections to the servers that have expired certificates.
    • Use No, forbid connections to servers with expired certificates to prevent connections to servers that have expired certificates.
    Remote servers can present expired certificates. Allowing connections to servers with expired certificates can cause a security risk.
  13. From the Should connections to servers with untrusted certificates be allowed? list, select one of the two options to determine what happens with connections to servers with untrusted certificates:
    • Use Yes, allow connections to servers with untrusted certificates to allow connections to the servers that have untrusted certificates.
    • Use No, forbid connections to servers with untrusted certificates to prevent connections to servers that have untrusted certificates.
    Remote servers can present untrusted certificates. Allowing connections to servers with untrusted certificates can cause a security risk.
  14. If strict updates should protect the configuration, select the check box for Should strict updates be enforced for this application?.
    If you select this option, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. You should enable this setting to avoid misconfigurations that can cause an unusable application.
    F5 recommends you enable this setting to avoid misconfigurations that could result in an unusable application and F5's ability to support your product.
  15. Click Save.
You have provided the basic configuration the system requires for Herculon SSL Orchestrator.
You can now set up ingress and egress devices, configure transparent or explicit proxies for the system, and create services, service chains, and classifier rules.

Configuring logging

Before configuring logging for F5® Herculon™ SSL Orchestrator™, complete all areas in General Properties. Refer to the Configuring general properties section of this document for more information.
You can generate log messages to help you monitor (and optionally debug) system activity. And you can choose the level of logging you want the system to perform. Log messages may be sent to one or more external log servers (preferred) and/or stored on the BIG-IP® device (less desirable because BIG-IP devices have limited log storage capacity).
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. Scroll down to the Logging Confguration area to the What SSL Intercept logging level do you want to enable? list, and select the level of logging you want the system to perform.
    • Use Errors. Log only functional errors to log errors related to how Herculon SSL Orchestrator functions.
    • Use Normal. Log connection data as well as errors to log per-connection data in addition to functional errors.
    • Use Debug. Log debug data as well as normal level data to log debug data as well as connection data and functional errors. Because this logging level consumes more resources on the BIG-IP system, use this mode only during setup or troubleshooting.
  3. From the Which Log Publisher will process the log messages? list, select whether an existing log publisher object processes the log messages or does not process the log messages and sends the messages to syslog-ng.
    • Use None (Send log messages to syslog-ng) to send log messages to the system management plane syslog-ng subsystem. This option is not recommended for use in production systems.
    • Otherwise, from the list, select the Log Publisher you created. A Log Publisher delivers log messages to one or more Log Destinations. Log Destinations may include Syslog, ArcSight, Splunk, and other log servers.
    We strongly recommend that you use a Log Publisher for good system performance. The syslog-ng service is useful for Errors-only logging but is too slow for Normal or Debug logging when the system is used in production. A Log Publisher delivers log messages to one or more Log Destinations. Log Destinations may include Syslog, ArcSight, Splunk, and other log servers as well as the BIG-IP system's local log database. To use a Log Publisher, it must already be present on the system.
  4. From the What kind of statistics do you want to record? list, select the type of statistic the system records. This implementation can collect usage data for connections, service chains, services, and so on. The implementation can also record remote domain names and TLS cipher suites for TLS connections if you wish, but gathering such data consumes more system resources.
    Domain names are taken from remote server PKI certificates (or client SNI in the case of Dynamic Domain Bypass) and may include a wild card. TLS cipher suites may not be recorded when a connection bypasses interception.
    If you choose to collect any statistics, the BIG-IP system starts saving extra data in memory for the use of integration with performance reporting systems like Splunk or BIG-IP iStats integration.
    • Use None if you do not want the system to record statistics.
    • Use Usage counters only (No remote-domain+cipher records) to record usage counters only and not statistics on remote-domain and cipher records.
    • Use Usage counters and remote-domain+cipher records (may slow system) to record both usage counters and remote-domain and cipher records. This option can slow performance on your system.
  5. Click Save.
You have configured logging options and completed the basic Herculon SSL Orchestrator configuration.

Configuring an ingress and egress device on one system

The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The egress device is either a device or a Sync-Failover device group that receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination.

If both the ingress and egress traffic are used by the same BIG-IP® system, the ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each connection for inspection.

If both the ingress and egress traffic are used by the same BIG-IP system, the egress device is one or more egress VLANs where the clients receive traffic.

  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. If you have only one BIG-IP system, from the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select No, use one BIG-IP device for ingress and egress .
  3. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  4. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will arrive.
  5. From the How should a server TLS handshake failure be handled? list, select whether you want the connection to fail or bypass the connection.
  6. From the DNS query resolution list, select whether to permit the system to send DNS queries directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS queries from Herculon SSL Orchestrator.
    • If you select Send DNS queries directly to nameservers across the internet, proceed to step 7.
    • If you select Send DNS queries to forwarding nameservers on the local network, proceed to step 8.
  7. From the Do you want to configure local/private DNS zones? list, select whether you do, or do not, want to configure local or private DNS zones.
    • If you select No, do not configure any local/private DNS zones, proceed to step 10.
    • If you select Yes, configure local/private DNS zones, proceed to step 9.
  8. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? field, type the IP address of local nameservers that will resolve all DNS queries from this implementation and click Add. Once you have added the necessary nameserver IP addresses, proceed to step 10.
  9. In the List local/private Forward Zones setting, click Add and type the IP address of one or more nameservers.
  10. From the Do you want to use DNSSEC to validate DNS information? list, select whether you do, or do not, want to use DNSSEC to validate the DNS information.
  11. In the Egress Device Configuration area, from the Do you want to SNAT client IP addresses? list, select whether you do, or do not, want to define SNAT addresses.
    • If you select No, pass client addresses unaltered, proceed to step 14.
    • If you select Yes, SNAT (replace) client addresses, proceed to step 12.
  12. From the Do you want to use a SNAT Pool? list, select whether you want to use a SNAT pool or SNAT auto map to translate addresses.
    • If you select Yes, define SNAT Pool addresses for good performance, proceed to step 13.
    • If you select No, use SNAT Auto Map (not recommended), proceed to step 14.
  13. Options to provide SNAT addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Enter at least as many IP host addresses as the number of TMM instances on the ingress device. Type address must be uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped under a CIDR mask, for example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
    • In the IPv4 SNAT addresses field, type the IPv4 SNAT address.
    • In the IPv6 SNAT addresses field, type the IPv6 SNAT address.
    • In both the IPv4 SNAT addresses and IPv6 SNAT addresses fields, type both the IPv4 and IPv6 SNAT addresses.
  14. From the Should traffic go to the Internet via specific gateways? list, select whether or not you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device in the next step.
    • If you want outbound/Internet traffic out using the default route on the BIG-IP system, select No, send outbound/Internet traffic via the default route and proceed to step 16 to save.
    • If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given), use Yes, send outbound/Internet traffic via specific gateways and proceed to step 15.
  15. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Specify one or more Internet gateway addresses (routers) to handle outbound SSL traffic so to control the share of traffic each is given.
    • In the What are the IPv4 outbound gateway addresses? field, type the IPv4 gateway addresses. Proceed to step 17 to save.
    • In the What are the IPv6 outbound gateway addresses? field, type the IPv6 gateway addresses. Proceed to step 16.
    • In both the What are the IPv4 outbound gateway addresses? and What are the IPv6 outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to step 16.
    Click the + button to add additional addresses.

    You can enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  16. In the Non-public IPv6 networks via IPv6 gateways field, type the requested IPv6 address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
  17. Click Save.
You have now configured an ingress device and an egress device located on one system.
This describes only the fields, lists, and areas needed to configure an ingress and egress device on one system. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring an ingress device (for separate ingress and egress devices)

The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each connection for inspection.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select Yes, configure separate ingress and egress BIG-IP devices.
  3. From the Is this device the ingress or egress device? list, select This is the INGRESS device to which clients connect.
  4. In the What is the EGRESS device Application Service name? field, type the name of the device service.
  5. In the What is the IP address of the EGRESS device control-channel virtual server? field, type the IP address of the service chain control channel virtual server over on the egress device.
  6. In the What IP address should THIS (ingress) device's control-channel virtual server use? field, type the IP address of the virtual server for the service chain control channel on a VLAN.
  7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to enable cryptographic protection of the service chain control channel between the ingress and egress devices.
  8. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  9. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will arrive.
  10. From the How should a server TLS handshake failure be handled? list, select whether you want the connection to fail or bypass the connection.
  11. From the DNS query resolution list, select whether to permit the system to send DNS queries directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS queries from Herculon SSL Orchestrator.
    • If you select Send DNS queries directly to nameservers across the internet, proceed to step 12.
    • If you select Send DNS queries to forwarding nameservers on the local network, proceed to step 13.
  12. From the Do you want to configure local/private DNS zones? list, select whether you do, or do not, want to configure local or private DNS zones.
    • If you select No, do not configure any local/private DNS zones, proceed to step 15.
    • If you select Yes, configure local/private DNS zones, proceed to step 14.
  13. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? field, type the IP address of local nameservers that will resolve all DNS queries from this implementation and click Add. Once you have added the necessary nameserver IP addresses, proceed to step 15.
  14. In the List local/private Forward Zones setting, click Add and type the IP address of one or more nameservers.
  15. From the Do you want to use DNSSEC to validate DNS information? list, select whether you do, or do not, want to use DNSSEC to validate the DNS information.
  16. In the Decrypt Zone to Egress Device Configuration area, for Are there parallel service devices in the decrypt zone?, select whether you want to send outbound traffic using the BIG-IP® system default route(s) or send outbound traffic through one or more service devices.
    • If the system will send the traffic through its default route to the internet, which must be configured to point to the egress BIG-IP® system, use No, send outbound traffic via the BIG-IP default route(s) and proceed to step 19 to save.
    • If your configuration includes any Layer 3 systems in the decrypt zone that must receive the traffic, use Yes, send outbound traffic via one or more service device(s) and proceed to step 17.
  17. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP addresses of the inward interface of the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
    • In the What are the IPv4 decrypt zone gateway addresses? field, type the IPv4 gateway addresses. Proceed to step 19 to save.
    • In the What are the IPv6 decrypt zone gateway addresses? field, type the IPv6 gateway addresses. Proceed to step 18.
    • In both the What are the IPv4 decrypt zone gateway addresses? and What are the IPv6 outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to step 18.
    Click the + button to add additional addresses.

    You can enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  18. In the What are the Non-public IPv6 networks via IPv6 gateways? field, type the requested IPv6 address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
  19. Click Save.
You have now configured an ingress device for a system configured for separate ingress and egress devices.
This describes only the fields, lists, and areas needed to configure an ingress device. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring an egress device (for separate ingress and egress devices)

The egress device is either a device or a Sync-Failover device group that receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination. When users set up separate ingress and egress devices, they send each other control messages. These can go through the decrypt zone, or around it if you configure a different path through the network. In either case, the messages are sent through TCP connections to port 245, at an IP address users specify, on each BIG-IP® system.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select Yes, configure separate ingress and egress BIG-IP devices
  3. From the Is this device the ingress or egress device? list, select This is the EGRESS device to which connects to server.
  4. In the What is the INGRESS device Application Service name? field, type the name of the device service.
  5. In the What is the IP address of the INGRESS device control-channel virtual server? field, type the IP address of the service chain control channel virtual server over on the egress device.
  6. In the What IP address should THIS (egress) device's control-channel virtual server use? field, type the IP address of the virtual server for the service chain control channel on a VLAN.
  7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to enable cryptographic protection of the service chain control channel between the ingress and egress devices.
  8. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  9. From the Egress Device Configuration area, in the Which VLAN(s) are part of the decrypt zone? (These bring traffic from the ingress device) setting, select one or more VLANs where transparent-proxy egress traffic will arrive.
  10. From the Do you want to SNAT client IP addresses? list, select whether you do, or do not, want to define SNAT addresses.
    • If you select No, pass client addresses unaltered, proceed to step 13.
    • If you select Yes, SNAT (replace) client addresses, proceed to step 11.
  11. From the Do you want to use a SNAT Pool? list, select whether you want to use a SNAT pool or SNAT auto map to translate addresses.
    • If you select Yes, define SNAT Pool addresses for good performance, proceed to step 12.
    • If you select No, use SNAT Auto Map (not recommended), proceed to step 13.
  12. Options to provide SNAT addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type at least as many IP host addresses as the number of TMM instances on the ingress device. Each address must be uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped under a CIDR mask, for example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
    • In the IPv4 SNAT addresses field, type the IPv4 SNAT address.
    • In the IPv6 SNAT addresses field, type the IPv6 SNAT address.
    • In both the IPv4 SNAT addresses and IPv6 SNAT addresses fields, type both the IPv4 and IPv6 SNAT addresses.
  13. From the Should traffic go to the Internet via specific gateways? list, select whether you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device in the next step.
    • If you want outbound/Internet traffic out using the default route on the BIG-IP system, use No, send outbound/Internet traffic via the default route and proceed to step 16.
    • If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given) use Yes, send outbound/Internet traffic via specific gateways, proceed to step 14.
  14. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP addresses of the inward interface of the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
    • In the What are the IPv4 outbound gateway addresses? field, type the IPv4 gateway addresses. Proceed to step 16 to save.
    • In the What are the IPv6 outbound gateway addresses? field, type the IPv6 gateway addresses. Proceed to step 15.
    • In both the What are the IPv4 outbound gateway addresses? and What are the IPv6 outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to step 15.
    Click the + button to add additional addresses.

    You can enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  15. In the Non-public IPv6 networks via IPv6 gateways field, type the requested IPv6 address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
  16. In the Decrypt Zone to Ingress Device Configuration area, for Are there parallel service devices in the decrypt zone?, select whether you want to send outbound traffic using the BIG-IP system default route(s) or send outbound traffic through one or more service devices.
    • If the system will send the traffic through its default route, which must be configured to point to the ingress BIG-IP system, use No, send outbound traffic via the BIG-IP default route(s) and proceed to step 19 to save.
    • If your configuration includes any Layer 3 systems in the decrypt zone that must receive the responses to traffic, use Yes, send outbound traffic via one or more service device(s) and proceed to step 17.
  17. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP addresses of the inward interface of the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
    • In the What are the IPv4 decrypt zone gateway addresses? field, type the IPv4 gateway addresses. Proceed to step 19 to save.
    • In the What are the IPv6 decrypt zone gateway addresses? field, type the IPv6 gateway addresses. Proceed to step 18.
    • In both the What are the IPv4 decrypt zone gateway addresses? and What are the IPv6 outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to step 18.
    Click the + button to add additional addresses.

    You can enter multiple gateways if you have multiple systems and want to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  18. In the What are the intranet networks (subnets)? field, type the IP address and mask-length in CIDR format for intranet submasks.
    Click the + button to add additional addresses. Typical IPv4 entries include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
  19. Click Save.
You have now configured an egress device for a system configured for separate ingress and egress devices.
This describes only the fields, lists, and areas needed to configure an egress device. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring the system for transparent proxy

You can configure Herculon SSL Orchestrator to operate in transparent proxy mode only. A transparent proxy intercepts normal communication without requiring any special client configuration, so clients are unaware of the proxy in the network.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  3. From the Which proxy schemes do you want to implement? list, select Implement transparent proxy only.
  4. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list, select one of the options:
    • Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
    • Use No, manage UDP traffic by classification to configure specific service chain classifier rules for UDP traffic.
  5. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list, select one of the options:
    • Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose this option, this traffic will not be classified or processed by any service chain.
    • Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) for the system to block all non-TCP and non-UDP traffic.
  6. Click Save.
You have now configured Herculon SSL Orchestrator to work in transparent proxy mode.
This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in transparent proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains.

Configuring the system for explicit proxy

You can configure Herculon SSL Orchestrator to operate in explicit proxy mode only. Explicit proxy in Herculon SSL Orchestrator requires manual configuration of the client and supports only HTTP(S) based on RFC2616.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. From the Which IP address families do you want to support? list, select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  3. From the Which proxy schemes do you want to implement? list, select Implement explicit proxy only.
  4. In the Explicit Proxy Configuration area, from the On which VLAN(s) should the explicit proxy listen? field, select one or more BIG-IP® VLANs where the explicit proxy listens.
  5. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP address and port that the BIG-IP system should use for the explicit proxy virtual server using one of these options.
    • In the What IPv4 address and port should the explicit proxy use? field, type the IPv4 address and port.
    • In the What IPv6 address and port should the explicit proxy use? field, type the IPv6 address and port.
    • In both the What IPv4 address and port should the explicit proxy use? and What IPv6 address and port should the explicit proxy use? fields, type both the IPv4 and IPv6 address and port information.
  6. Click Save.
You have now configured Herculon SSL Orchestrator to work in explicit proxy mode.
This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in explicit proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains.

Configuring the system for both transparent and explicit proxies

Explicit proxy in Herculon™ SSL Orchestrator requires manual configuration of the client and supports only HTTP(S) based on RFC2616.
You can configure Herculon SSL Orchestrator to operate in transparent and explicit proxy mode. A transparent proxy intercepts normal communication without requiring any special client configuration, so clients are unaware of the proxy in the network.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. Scroll down to the Which IP address families do you want to support? list, and select whether you want this configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  3. From the Which proxy schemes do you want to implement? list, select Implement both transparent and explicit proxies.
  4. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list, select one of the options:
    • Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
    • Use No, manage UDP traffic by classification to configure specific service chain classifier rules for UDP traffic.
  5. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list, select one of the options:
    • Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose this option, this traffic will not be classified or processed by any service chain.
    • Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) for the system to block all non-TCP and non-UDP traffic.
  6. In the Explicit Proxy Configuration area, from the On which VLAN(s) should the explicit proxy listen? field, select one or more BIG-IP® VLANs where the explicit proxy listens.
  7. Options to provide the outbound gateway addresses vary, whether you selected Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP address and port that the BIG-IP system should use for the explicit proxy virtual server, using one of these options.
    • In the What IPv4 address and port should the explicit proxy use? field, type the IPv4 address and port.
    • In the What IPv6 address and port should the explicit proxy use? field, type the IPv6 address and port.
    • In both the What IPv4 address and port should the explicit proxy use? and What IPv6 address and port should the explicit proxy use? fields, type both the IPv4 and IPv6 address and port information.
You have now configured Herculon SSL Orchestrator to work in both transparent and explicit proxy modes.
This describes only the fields, lists, and areas needed to configure Herculon SSL Orchestrator to work in both transparent and explicit proxy modes. You should also complete the other areas in General Properties before moving on to create services and service chains.