F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 SSL Orchestrator
  4. F5 SSL Orchestrator: Setup
  5. Configuring the System for F5 Herculon SSL Orchestrator
Manual Chapter : Configuring the System for F5 Herculon SSL Orchestrator

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 13.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Configuring the system for F5 Herculon SSL Orchestrator

To set up your system for decrypting and encrypting outbound SSL/TLS traffic, you need to use the F5® Herculon™ SSL Orchestrator™ Setup Wizard which initially guides you through basic minimal setup configuration. When you have completed the basic setup using the Setup Wizard, the Herculon SSL Orchestrator configuration utility assists you with the rest of your configuration.
Note: If you are implementing a high availability environment for Herculon SSL Orchestrator, review the Setting up Herculon SSL Orchestrator in a High Availability Environment section for more detailed information.

Using the Herculon SSL Orchestrator setup wizard

Before you start this task:

Make sure you set up a management IP address, netmask, and default routing on your system.

Note: If at any time during your configuration you need to return to the F5® Herculon™ SSL Orchestrator™ Setup Wizard, simply click the F5 logo in the upper-left corner of the configuration utility, and on the Welcome screen, click the Run the Setup Utility link.
The Herculon SSL Orchestrator Setup Wizard guides you through the basic, minimal setup configuration for Herculon SSL Orchestrator.
  1. On the Welcome screen, click Next.
  2. On the License screen, click Activate.
  3. On the EULA screen, click Accept.
    The license activates and the system reboots for the configuration changes to take effect.
  4. After the system reboots, click Continue.
  5. On the Device Certificates screen, click Next.
  6. On the Platform screen, for the Management Port Configuration setting, click Manual.
    The Management Port setting should include the management interface details that were previously created.
  7. In the Host Name field, type the name of this system.
    The Host Name must be a fully qualified domain name.
    For example, www.siterequest.com.
  8. In the User Administration area, type and confirm the Root Account and Admin Account passwords, and click Next.
    The Root Account provides access to the command line, while the Admin Account accesses the user interface.
    The system notifies you to log out and then log back in with your username and new password.
  9. Click OK.
    The system reboots.
  10. Optional: On the Network Time Protocol (NTP) screen, in the Address field, type the IP address of the NTP server to synchronize the system clock with an NTP server, and click Add.
  11. Click Next.
    The Domain Name Server (DNS) screen opens.
  12. Optional: To resolve host names on the system, set up the DNS and associated servers:
    1. For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server and click Add.
    2. If you use BIND servers, add them in the BIND Forwarder Server List.
    3. For local domain lookups to resolve local host names, add them in the DNS Search Domain List.
    4. Click Next.
    The Internal VLAN screen opens.
    Note: If you plan to later use the DNSSEC option in the configuration utility, you must set up DNS using the Herculon SSL Orchestrator Setup Wizard. Otherwise, this step is optional.
  13. Specify the Self IP settings for the internal network:
    1. In the Address field, type a self IP address.
    2. In the Netmask field, type a network mask for the self IP address.
    3. For the Port Lockdown setting, retain the default value.
  14. For the VLAN Tag ID setting, retain the recommended default value, auto.
  15. For the Interfaces setting:
    1. From the VLAN Interfaces list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. Click Add.
  16. Click Next.
    This completes the configuration of the internal self IP addresses and VLAN, and the External VLAN screen opens.
  17. Specify the Self IP setting for the external network:
    1. In the Address field, type a self IP address.
    2. In the Netmask field, type a network mask for the self IP address.
    3. For the Port Lockdown setting, retain the default value.
  18. In the Default Gateway field, type the IP address that you want to use as the default gateway to the external VLAN.
  19. For the VLAN Tag ID setting, retain the recommended default value, auto.
  20. Click Next.
    This completes the configuration of the external self IP addresses and VLAN.
  21. On the Forward Proxy Certificate screen, do the following:
    1. In the Certificate Name field, select Create New and type a certificate name.
    2. In the Certificate Source field, select either Upload File and click Choose File, or select Paste Text and copy and paste your certificate source.
    3. In the Key Source field, select either Upload File and click Choose File, or select Paste Text and copy and paste your key source.
    4. From the Security Type list, select either Normal or Password.
  22. Click Next.
  23. On the Logging screen, under Publisher Type, select either local or splunk.
    • If you select local as your Publisher Type, specify the Destination as either local-db or local-syslog and click Next.
      Note: This determines the destination of your logs as being either a local database or a local syslog server.
    • If you select splunk as your Publisher Type:
    1. For Protocol, select either TCP or UDP.
    2. Type the IP address and the Port of the splunk server.
    3. Click Next.
    You are now ready to proceed to the second part of the configuration where you follow additional instructions to finalize your system for Herculon SSL Orchestrator.

Backing up your BIG-IP configuration

Before beginning the Herculon SSL Orchestrator configuration, or before you make substantial changes, we strongly recommend you back up the BIG-IP configuration using the following steps. This allows you to restore the previous configuration in case of any issues.
  1. On your system, click System > Archives .
  2. To initiate the process of creating a new UCS archive (back up), click Create.
  3. In the File Name box, type a name for the file. This name must be a unique name.
  4. Click Finished.
  5. To restore the configuration from a UCS archive, go to System > Archives.
  6. Select the name of the UCS file you want to restore and click Restore.
Your BIG-IP configuration is now safely restored.

Modifying your Herculon SSL Orchestrator configuration

We recommend that you back up your BIG-IP® configuration prior to making any changes to your F5® Herculon™ SSL Orchestrator™ configuration. Refer to the Backing up the BIG-IP Configuration section of this document for more information.
You can modify your existing Herculon SSL Orchestrator configuration if you need to make changes.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. Modify your configuration and then click Deploy.
See the Diagnosing your Herculon SSL Orchestrator deployment section for more detailed information on how to monitor the success or failure of your configuration modification. If successful, your existing configuration is now updated.

Undeploying your Herculon SSL Orchestrator configuration

We recommend that you back up your BIG-IP® configuration prior to making any modifications to your F5® Herculon™ SSL Orchestrator™ configuration. Refer to the Backing up the BIG-IP configuration section of this document for more information.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. Click Undeploy.
See the Diagnosing your Herculon SSL Orchestrator deployment section for more detailed information on how to monitor the success or failure of your device undeployment. If successful, your entire configuration is now removed from your system.

Diagnosing your Herculon SSL Orchestrator deployment

You can diagnostically monitor each deployment and undeployment for a device configuration whether you are deploying a single device or multiple boxes in a high availability (HA) device group. The system displays an application status message above the network diagram indicating whether your device or device group has successfully Deployed or suffered an Error.

When there are multiple devices in a device group in an HA scenario, the application status message displays the state of the deployment as one system. For example, if two out of four devices in a device group deploy with errors, the application status message displays 2 Error, indicating two devices suffered an error during deployment.

If you click View Details next to the application status message when you have multiple devices in a sync group, the Application Status dialog box opens. The Application Status table lists each BIG-IP® device with individual links to the Diagnostic screen. The Diagnostic screen displays the current device's deployment information and assists in further diagnosing any issues.

After completing a F5® Herculon™ SSL Orchestrator™ configuration deployment, or if you are performing an undeployment, you can diagnose your deployment status.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    The General Properties screen opens.
  2. On the General Properties screen, click either Deploy or Undeploy.

    Above the network diagram, the application status displays a spinning wheel with the message Currently being deployed or Currently being undeployed.

    Once the process is complete, the application status message displays Deployed, Undeployed, or Error.

  3. If you have multiple devices in a device group, click View Details. If you are deploying or undeploying a single device, proceed to step 4.

    If your deployment or undeployment is successful, the Diagnostic screen opens.

    If your deployment or undeployment is not successful, the Application Status dialog popup opens showing each BIG-IP device with individual links to the Diagnostic screen.

  4. Click OK to close the Application Status dialog popup table, or click the link in the Details column for a particular device to open the Diagnostic screen.
    The Application Diagnostic area shows details for the current device that you selected. This is information you can use to further diagnose your application status.
  5. On the Main tab, click SSL Orchestrator > Configuration , and on the menu bar, click Diagnostic to view diagnostic information on your current device.
The Diagnostic screen opens.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information