Manual Chapter : Setting Up an F5 SSL Orchestrator Basic Deployment

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 14.0.0
Manual Chapter

Setting Up an F5 SSL Orchestrator Basic Deployment

Overview: Setting up a basic configuration

This section contains the general information that is required before you can complete the configuration of your F5®SSL Orchestrator™ deployment. The workflow in this chapter provides the F5 recommended deployment settings and instructions to assist in quickly configuring your basic deployment settings. It also provides the necessary steps to create services, install default outbound interception rules, and detail your SSL management settings and per-request policies.
Note:
Using the SSL Orchestrator default outbound interception rules settings is recommended by F5 and allows you to:
  • Define your outbound proxy scheme settings to support Transparent, Explicit, or Transparent and Explicit proxy modes.
  • Simplify your security settings by creating both SSL and Per-Request Policy settings with pre-defined configurations for your outbound rule.
  • Simplify your ingress network VLAN settings with pre-defined configuration for your outbound rule.

In addition, by using the default outbound interception rules option, direct links are provided to set up SSL settings, per request policies, and network VLANs from within the default screen. When within the SSL settings, per request policies, and network VLANs screens, SSL Orchestrator auto-selects certain field settings so to further streamline your deployment setup.

SSL Orchestrator Deployment Workflow

SSL Orchestrator legend:
  • Step 1: Create Deployment Settings.
  • Step 2: Create Services (such as HTTP, ICAP, L2/L3, and receive-only/TAP) with any network VLAN settings required.
  • Step 3: Install Interception Rules with any SSL management and Per-Request Policy settings required.

Configuring deployment settings

Before you configure your SSL Orchestrator deployment settings, make sure you have completed the installation and upgrade procedures.

By providing general information that the system needs, you can set up outbound and inbound devices, create services and service chains, and create interception rules using the SSL Orchestrator deployment workflow. You can use the following steps to configure your deployment settings.

Note: By default, during the F5 SSL Orchestrator deployment process, the system database value for Traffic Management Microkernel (TMM) fast forward is automatically disabled (set to “false”). To ensure your F5 SSL Orchestrator deployment works properly, make sure the system database value for TMM fast forward remains disabled throughout the deployment. If you are not using F5 SSL Orchestrator and need the system database value for TMM fast forward enabled, it must be manually changed.
Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Deployment . The Deployment Settings screen opens.
  2. In the Deployment Name field, type a name after the default prefix sslo_ for this configuration.
  3. In the Description field, type a short description of your deployment.
  4. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  5. In the Deployed Network field, the network type (L2 Network or L3 Network) is selected based on your initial network setup.
  6. From the IP Family list, select whether you want this configuration to support IPv4 only, IPv6 only, or both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
    Note: If you select IPv4 and IPv6, when you create HTTP, L2, or L3 services, you must either:
    • Create separate services for each inline service and policies for IPv4 and IPv6 traffic and attach the correct policy to each interception rule, or,
    • Create separate services for each inline service, modify the service chain macro in the policy created, and manually make IPv4 and IPv6 traffic follow a different path.
    • If you selected either IPv4 only or IPv6 only, the inline device can only be configured into the other IP type. Disable Strict Update to manually add an address translation on the virtual servers of that service.
  7. From the Manage SNAT Settings list, either select None or whether you want to use SNAT or Auto Map to translate addresses.
    SNAT Auto Map uses a BIG-IP Self IP address to replace each client source-IP address. With SNAT Auto Map you do not have to define a pool of distinct host addresses for SNAT to use. However, each BIG-IP CPU can only use a fraction of the port numbers associated with any Self IP address. As traffic volume increases, BIG-IP CPUs will exhaust their SNAT port allocations and start to drop connections. More powerful BIG-IP devices are actually more likely to drop connections when using SNAT Auto Map. Unless your traffic volume is small, you should define SNAT addresses instead of using SNAT Auto Map.
  8. Options to provide SNAT addresses will vary, whether you selected IPv4, IPv6, or both IPv4 and IPv6. Type at least as many IP host addresses as the number of TMM instances on the ingress device. Each address must be uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped under a CIDR mask, for example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
    • In the IPv4 SNAT Addresses field, type the IPv4 SNAT address.
    • In the IPv6 SNAT Addresses field, type the IPv6 SNAT address.
    • In both the IPv4 SNAT Addresses and IPv6 SNAT Addresses fields, type both the IPv4 and IPv6 SNAT addresses.
    Note: Click the + button to add additional addresses.
  9. From the Gateways list, select whether you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device in the next step.
    • Select Default route if you want outbound/Internet traffic to use the default route on the BIG-IP system.
    • Select Specific gateway if you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given).
  10. Options to provide the outbound gateway addresses will vary whether you selected IPv4, IPv6, or both IPv4 and IPv6. Type the IP addresses of the inward interface of the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
    • In the IPv4 Outbound Gateway address fields, type the IPv4 gateway addresses and select the Ratio number from the list.
    • In the IPv6 Outbound Gateway address fields, type the IPv6 gateway addresses and select the Ratio number from the list.
    • In the IPv4 Outbound Gateway and IPv6 Outbound Gateway address fields, type the IPv4 and IPv6 gateway addresses and select the Ratio number from the list.
      Note: Click the + button to add additional addresses. You can enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.
  11. In the Non-public IPv6 Networks field, type the requested IPv6 address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
  12. From the DNS Query Resolution list, select Internet authoritative name server or Local forwarding name server to either permit the system to send DNS queries directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS queries from SSL Intercept. Direct resolution can be more reliable than using forwarders but requires outbound UDP+TCP port 53 access to the Internet.
  13. From the Local Forwarding Nameserver(s) field, type the IP address of local nameservers that will resolve all DNS queries from this implementation.
    Note: Click the + button to add additional addresses.
  14. In the Local/Private Forward Zones fields, type the IP address of one or more Nameservers and their Forward Zones and click Add.
  15. For the DNSSec Validation check box, specify whether you want to use DNSSEC to validate the DNS information. Using DNSSEC to validate DNS information improves security. Dynamic Domain Bypass can use DNSSEC on all BIG-IP devices.
  16. From the Logging Level list, select the level of logging you want the system to perform:
    • Use Errors to log only functional errors related to how SSL Orchestrator functions.
    • Use Normal to log per-connection data in addition to functional errors.
    • Use Debug to log debug data as well as connection data and functional errors. Because this logging level consumes more resources on the BIG-IP system, use this mode only during setup or troubleshooting.
  17. Click Finished.

You have configured your deployment settings. Next, to create settings for services such as HTTP, ICAP, L2/L3, and receive-only/TAP, see the Create F5 SSL Orchestrator services section.

Create F5 SSL Orchestrator services

This section decribes how to create HTTP services, ICAP services, Layer 2 and Layer 3 inline services, and receive-only/TAP services.

Creating F5 SSL Orchestrator HTTP services

Before creating HTTP services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.
You can configure inline HTTP explicit or transparent proxy settings with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. Using SSL Orchestrator, you can support multiple explicit and transparent proxy configurations such as:
  • SSLO Explicit proxy with in-line explicit proxy as a service (EP-EP).
  • SSLO Transparent proxy with in-line explicit proxy as a service (TP-EP).
  • SSLO Explicit proxy with in-line transparent proxy as a service (EP-TP).
  • SSLO Transparent proxy with in-line transparent proxy as a service (TP-TP).
Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Services > HTTP Services . The HTTP Services screen opens.
  2. Click Create. The New HTTP Services screen opens.
  3. In the Name field, type a name after the default prefix sslS_.
  4. In the Description field, type a short description of the new HTTP setting.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. From the IP Family list, select whether you want this configuration to support IPv4 or IPv6.
    You must configure IP addresses in the family you select for all IP address fields in this application.
    Note: If you select IPv4 and IPv6 when configuring your Deployment Settings, when you create HTTP services, you must either:
    • Create separate services for each inline service and policies for IPv4 and IPv6 traffic and attach the correct policy to each interception rule, or,
    • Create separate services for each inline service, modify the service chain macro in the policy created, and manually make IPv4 and IPv6 traffic follow a different path.
    • If you select either IPv4 only or IPv6 only, the inline device can only be configured into the other IP type. Disable Strict Update to manually add an address translation on the virtual servers of that service.
  7. In the Auto Manage field, select the check box to use default BIG-IP paths that each VLAN will use. By selecting the check box, the system auto-generates the To Service and From Service address ranges. If you do not select the Auto Manage check box, you must select a previously created address or create new network VLANs.
  8. From the Proxy Type list, select whether the system operates in Transparent Proxy mode or Explicit Proxy mode.
    • Select Transparent Proxy for the system to operate in transparent proxy mode. The transparent proxy scheme can intercept all types of TLS and TCP traffic. It also processes UDP traffic and forwards all other types of traffic. The transparent proxy requires no client configuration modifications. If setting up an inline transparent proxy as a service, F5 recommends you set the SSL Orchestrator Proxy Scheme as either an explicit or transparent proxy from SSL Orchestrator > Interception Rules and click Install Default Outbound Rules.
    • Select Explicit Proxy for the system to operate in explicit proxy mode. The explicit proxy scheme supports only HTTP(S) per RFC2616. If you choose to configure an explicit proxy, assign a specific IP address and TCP port where the HTTP explicit-proxy clients connect. If setting up an inline explicit proxy as a service, F5 recommends you set the SSL Orchestrator Proxy Scheme as either an explicit or transparent proxy from the SSL Orchestrator > Interception Rules and click Install Default Outbound Rules.
    Note: When configuring a single device SSL Orchestrator transparent proxy in front of an explicit proxy, SSL Orchestrator can transparently intercept SSL traffic tunneled through an explicit proxy and selectively forward the decrypted user traffic through the security service chain for proper inspections. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic and sends it to the explicit proxy. User traffic of certain categories may also be rejected by the BIG-IP or bypass the security inspections.
  9. From the To Service list, for each VLAN pair, select the default BIG-IP paths that each VLAN will use.
    • If you selected Auto Manage, the default address range is auto-filled.
    • If you did not select Auto Manage, select an option from the list or click Create New to create a new network VLAN.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the New HTTP Services screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  10. If you selected Auto Manage, from the VLAN list, select a previously created address or click Create New if you need to create a new network VLAN address within the To Service address range. If you did not select Auto Manage, the VLAN field is no longer a user option.
    Note: For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  11. In the Node fields, type an IP address and port number and click Add. The IP Address and Port fields update with the new information.

    The port number should be between 1 – 65535.

  12. From the From Service list, for each VLAN pair, select the default BIG-IP paths that each VLAN will use. or click Create New if you have selected Auto Manage.
    • If you selected Auto Manage, the default address range is auto-filled.
    • If you did not select Auto Manage, select an option from the list or click Create New to create a new network VLAN.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the New HTTP Services screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  13. If you selected Auto Manage, from the VLAN list, select a previously created address or click Create New if you need to create a new network VLAN address within the From Service address range. If you did not select Auto Manage, the VLAN field is no longer a user option.
    Note: For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  14. From the Service Down Action list, select how you want the system to handle an HTTP service failure or when it is otherwise unavailable. Select one of the following options:
    • Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain.
    • Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same.
    • Drop: Specifies that the system initiates a close on the client connection.
  15. From the Authentication Offload field, select the check box to enable authentication offload. The default is disabled.
  16. From the iRules fields, select the iRules you want to run. iRules help automate the intercepting, processing, and routing of application traffic. Use the move buttons to add, remove, or reorder the iRules list.
    • Selected: Lists the iRules on the system that are already selected. The system applies an iRule in the order in which it appears in the list.
    • Available: Lists the iRules on the system that are available to apply to the virtual server.
  17. Click Finished.

You have now completed your HTTP services settings. Next, to create settings for ICAP services, see the Creating F5 SSL Orchestrator ICAP services section.

Configuring F5 SSL Orchestrator network VLANs

Before creating network VLAN settings, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.
Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Network . The Network screen opens.
  2. Click Create. The New Network screen opens.
  3. In the Name field, type a name after the default prefix sslN_.
  4. In the Description field, type a short description of the new network VLAN setting.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. From the VLAN list, select the VLAN where the receive-only device resides. To create a new route domain, select Create New from the list. The Interface and Tag fields appear.
  7. From the Interface list, select the VLAN interface number.
  8. From the Tag list, select the VLAN tag number by using the arrows provided.
    Note: The arrows to select the VLAN tag number appear when you hover your cursor over the Tag list field.
  9. From the Self IP field, specify the self IP address definition. This can be either an IPv4 or an IPv6 address.
  10. From the Netmask field, specify the netmask for this self IP address. You must type the full netmask. Specifying the prefix length in bits is not supported. For example, you can type ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff:: (with two colons at the end).
  11. From the Route Domain list, select the unique identifying integer representing the route domain. Using route domains, you can assign the same IP address to more than one device on a network, as long as each instance of the IP address resides in a separate routing domain. To create a new route domain, click Create and use the arrows provided once you hover your cursor over the field. Click Select to choose the newly created route domain.
  12. Click Finished.

You have now completed your network VLAN settings.

Creating F5 SSL Orchestrator ICAP services

Before creating ICAP services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.

ICAP services use the RFC3507 ICAP protocol to refer HTTP traffic to one or more content adaptation devices to inspect or modify. You can add an ICAP to any TCP service chain, but only HTTP traffic is sent to the chain. Additionally, you can configure up to ten ICAP services using the SSL Orchestrator configuration utility to load balance across them.

Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Services > ICAP Services . The ICAP Services screen opens.
  2. Click Create. The New ICAP Services screen opens.
  3. In the Name field, type a name after the default prefix ssloS_.
  4. In the Description field, type a short description of the new ICAP settings.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. From the IP Family list, select whether you want this configuration to support IPv4 only, IPv6 only, or both IPv4 and IPv6.
    If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields in this application. If you choose both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
  7. In the ICAP Devices fields, type a unique IP address and port number for each receive-only service you are configuring. If you add more than one ICAP device, they become part of a BIG-IP load balancing pool with a TCP health monitor attached to each device.
    The port number should be between 1 – 65535.
  8. Click Add. The IP Address and Port fields update with the new information.
  9. From the Headers Mode list, select one of the two options:
    • Select Custom if you want to manually create the Host, Referrer, User Agent, and From field information.
    • Select Default if you want the system to automatically create headers mode information.
  10. In the OneConnect field, select the check box to specify whether you want to use the OneConnect feature for the ICAP servers. The F5 OneConnect profile improves performance by reusing TCP connections to ICAP servers to process multiple transactions. If your ICAP servers do not support multiple ICAP transactions per TCP connection, do not select the check box to disable OneConnect.
  11. In the Request field, type the ICAP request and response URIs, as defined by RFC3507, that are applicable for your ICAP server. Use the 'icap://${SERVER_IP} :${SERVER_PORT}/REQ' as the default content for the Request field.
  12. In the Response field, type the ICAP response processing URI for this service. Use the 'icap://${SERVER_IP} :${SERVER_PORT}/RES' as the default content for the Response field.
  13. In the Preview Max Length (bytes) field, type the number of bytes you want to use as the maximum length for the ICAP preview. Bytes of content up to the specified number are sent to the ICAP server as a preview of each HTTP request or response. If you set the maximum preview length to zero (0), then requests and responses are streamed through the ICAP server. The largest value currently supported is 51200 (50KB).
  14. From the Service Down Action list, select how you want the system to handle a service failure or when it is otherwise unavailable. Select one of the following options:
    • Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain.
    • Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same.
    • Drop: Specifies that the system initiates a close on the client connection.
  15. From the Send HTTP/1.0 Requests to ICAP list, select either HTTP/1.0 & HTTP/1.1 or HTTP/1.1 only to specify whether you want the BIG-IP system to send only HTTP/1.1 requests to the ICAP servers, or if the system should send both HTTP/1.1 and HTTP/1.0 request to the ICAP servers.
    • HTTP/1.0 & HTTP/1.1: If you select HTTP/1.0 & HTTP/1.1 if you want to send both requests to the ICAP service. Select HTTP/1.1 only if you want to send only HTTP/1.1 requests to the ICAP service. Any HTTP/1.0 requests are not inspected.
    • HTTP/1.1 only: If you specify that only HTTP/1.1 requests are sent, then HTTP/1.0 requests are not inspected, and are forwarded along to the next device in the chain.
  16. From the ICAP Policy list, select a policy from the available options.
  17. Click Finished.

You have now completed your ICAP services settings. Next, to create settings for L2/L3 inline services, see the Create F5 SSL Orchestrator inline services section.

Create F5 SSL Orchestrator inline services

Before creating Layer 2 (L2) and Layer 3 (L3) inline services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.

Inline services pass traffic through one or more service devices at Layer 2 or Layer 3. You use inline services in service chains, where each service device communicates with the BIG-IP® device, on the ingress side and over two VLANs. These VLANs route traffic toward the intranet and Internet, respectively.

Layer 3 inline services requires you to provide the IP address of the service devices from the present choices in the SSL Orchestrator configuration. If you are using Layer 3 inline services, this configuration sends and receives information from the services using a pre-defined set of addresses.

Note: If you select IPv4 and IPv6 when configuring your Deployment Settings, when you create L2 or L3 inline services, you must either:
  • Create separate services for each inline service and policies for IPv4 and IPv6 traffic and attach the correct policy to each interception rule.
  • Or create separate services for each inline service, modify the service chain macro in the policy created, and manually make IPv4 and IPv6 traffic follow a different path.
Note: If you select either IPv4 only or IPv6 only, the inline device can only be configured into the other IP type. Disable Strict Update to manually add an address translation on the virtual servers of that service.

Creating F5 SSL Orchestrator layer 2 inline services

Before creating layer 2 (L2) inline services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.
Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Services > L2 Services . The L2 Services screen opens.
  2. Click Create. The New L2 Services screen opens.
  3. In the Name field, type a name after the default prefix ssloS_.
  4. In the Description field, type a short description of the new L2 settings.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. From the IP Family list, select whether you want this configuration to support IPv4 or IPv6.
    You must configure IP addresses in the family you select for all IP address fields in this application.
    Note: If you select IPv4 and IPv6 when configuring your Deployment Settings, when you create L2 services, you must either:
    • Create separate services for each inline service and policies for IPv4 and IPv6 traffic and attach the correct policy to each interception rule, or,
    • Create separate services for each inline service, modify the service chain macro in the policy created, and manually make IPv4 and IPv6 traffic follow a different path.
    • If you select either IPv4 only or IPv6 only, the inline device can only be configured into the other IP type. Disable Strict Update to manually add an address translation on the virtual servers of that service.
  7. In the Service Subnet field, the service subnet is auto populated depending on the IP Family (IPv4 or IPv6) selected.
    Note: The L2-service’s internally assigned IP address, used for routing purposes, ensures that cloned traffic is sent out on the VLAN where the L2-service resides.
  8. In the L2 Service’s Paths fields, you must specify the BIG-IP paths and VLAN tag (if any; 0 means untagged) that each VLAN will use for each VLAN pair.
    • Each Inward VLAN must be connected to the same Layer 2 virtual network from every device in the Sync-Failover Device Group and each Outward VLAN likewise, but to a distinct Layer 2 virtual network. Inward and Outward VLANs on different BIG-IP devices may use different interfaces and even tags (with external bridging) to connect to the same Layer 2 virtual networks.
    • If you choose to use the Ratio field, the BIG-IP system distributes connections among pool members in a static rotation according to ratio weights that you define. In this case, the number of connections that each system receives over time is proportionate to the ratio weight you defined for each pool member or node. This number must be between 1-100.
    • For example, if you have five devices and you assign a ratio of 1 to the first three devices, and a ratio of 2 to the fourth device, and a ratio of 3 to the fifth device; the first three devices with a ratio of 1 each receive 1/8 of the traffic. The fourth device receives 1/4 of the traffic, and the fifth device receives 3/8 of the traffic.
  9. From the Service Down Action list, select how you want the system to handle a service failure or when it is otherwise unavailable. Select one of the following options:
    • Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain.
    • Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same.
    • Drop: Specifies that the system initiates a close on the client connection.
  10. In the Port Remap field, select the Enabled check box to specify you want to enable the port remap feature for inline services.
  11. In the Remap Port To field, type the remap port to number. It must be between 1 – 65535.
  12. In the iRules fields, select the iRules you want to run. iRules help automate the intercepting, processing, and routing of application traffic. Use the move buttons to add, remove, or reorder the iRules list.
    • Selected: Lists the iRules on the system that are already selected. The system applies an iRule in the order in which it appears in the list.
    • Available: Lists the iRules on the system that are available to apply to the virtual server.
  13. Click Finished.

You have now completed your L2 services settings. Next, to create settings for L3 services, see the Creating F5 SSL Orchestrator layer 3 inline services section.

Creating F5 SSL Orchestrator layer 3 inline services

Before creating layer 3 (L3) inline services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.

You can create an L3 inline services configuration to send and receive information from the services using a pre-defined set of addresses.

Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Services > L3 Services . The L3 Services screen opens.
  2. Click Create. The New L3 Services screen opens.
  3. In the Name field, type a name after the default prefix ssloS_.
  4. In the Description field, type a short description of the new L3 settings.
  5. From the IP Family list, select whether you want this configuration to support IPv4 or IPv6.
    You must configure IP addresses in the family you select for all IP address fields in this application.
    Note: If you select IPv4 and IPv6 when configuring your Deployment Settings, when you create L3 services, you must either:
    • Create separate services for each inline service and policies for IPv4 and IPv6 traffic and attach the correct policy to each interception rule, or,
    • Create separate services for each inline service, modify the service chain macro in the policy created, and manually make IPv4 and IPv6 traffic follow a different path.
    • If you selected either IPv4 only or IPv6 only, the inline device can only be configured into the other IP type. Disable Strict Update to manually add an address translation on the virtual servers of that service.
  6. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  7. In the Auto Manage field, select the check box to use default BIG-IP paths that each VLAN will use. By selecting the check box, the system to auto-generates the To Service and From Service address ranges. If you do not select the Auto Manage check box, you must select a previously created address or create new network VLANs.
  8. From the To Service list, for each VLAN pair, select the default BIG-IP paths that each VLAN will use.
    • If you selected Auto Manage, the default address range is auto-filled.
    • If you did not select Auto Manage, select an option from the list or click Create New to create a new network VLAN.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the New L3 Services screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  9. If you selected Auto Manage, from the VLAN list, select a previously created address or click Create New if you need to create a new network VLAN address within the To Service address range. If you did not select Auto Manage, the VLAN field is no longer a user option.
    Note: For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  10. In the Node fields, type an IP address of the node and click Add to update the IP Address field.
    • Review the following examples when setting up IP addresses for Layer 3 inline services. If the servers available are 198.19.2.61 to 68, the Monitoring Device Settings are:
      • Inward Side IP address: 198.19.2.61
      • Outward Side IP address: 198.19.2.161
      • Default Gateway: 198.19.2.245
      • Inward Side route for all internal subnets, next hop: 198.19.2.1
    • If the servers available are fd06:4d61:1:0::41 to 48, the Monitoring Device Settings are:
      • Inward Side IP address: fd06:4d61:1::41
      • Outward Side IP address: fd06:4d61:1::f1
      • Default Gateway: fd06:4d61:1::f5
      • Inward Side route for all internal subnets, next hop: fd06:4d61:1::1
  11. From the From Service list, for each VLAN pair, select the default BIG-IP paths that each VLAN will use. or click Create New if you have selected Auto Manage.
    • If you selected Auto Manage, the default address range is auto-filled.
    • If you did not select Auto Manage, select an option from the list or click Create New to create a new network VLAN.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the New L3 Services screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  12. If you selected Auto Manage, from the VLAN list, select a previously created address or click Create New if you need to create a new network VLAN address within the From Service address range. If you did not select Auto Manage, the VLAN field is no longer a user option.
    Note: For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  13. From the Service Down Action list, select how you want the system to handle a service failure or when it is otherwise unavailable. Select one of the following options:
    • Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain.
    • Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same.
    • Drop: Specifies that the system initiates a close on the client connection.
  14. In the Port Remap field, select the Enabled check box to specify you want to enable the port remap feature for inline services.
  15. In the Remap Port To field, type the remap port to number. It must be between 1 – 65535.
  16. In the iRules fields, select the iRules you want to run. iRules help automate the intercepting, processing, and routing of application traffic. Use the move buttons to add, remove, or reorder the iRules list.
    • Selected: Lists the iRules on the system that are already selected. The system applies an iRule in the order in which it appears in the list.
    • Available: Lists the iRules on the system that are available to apply to the virtual server.
  17. Click Finished.
    Note: Layer 3 devices need to follow a specific fixed addressing scheme. For each of the 10 possible Layer 3 inline services, you need to use the following configuration (with x being 0-9 representing the inline service):
    Inward Interface:
    • IPv4 Address: 198.19.x.61 through 68 (for each of the load balanced Layer 3 devices)
    • IPv4 Netmask: 255.255.255.128
    • IPv6 Address: fd06:4d61:x::41 through 48 (for each of the load balanced Layer 3 devices)
    • IPv6 Netmask: ffff.ffff. ffff.ffff. ffff.ffff. ffff.ff00
    Outward Interface:
    • IPv4 Address: 198.19.x.161 through 168 (for each of the load balanced Layer 3 devices)
    • IPv4 Netmask: 255.255.255.128
    • IPv6 Address: fd06:4d61:x::141 through 148 (for each of the load balanced Layer 3 devices)
    • IPv6 Netmask: ffff.ffff. ffff.ffff. ffff.ffff. ffff.ff00
    Routes:
    • Default Gateway: 198.19.x.245
    • Gateway to internal networks: .1

    While the base address can be changed if needed, F5 recommends leaving it set to the default: 198.19.0.0.

You have now completed your L3 services settings. Next, to create settings for receive-only/TAP services, see the Creating F5 SSL Orchestrator receive-only TAP services for traffic inspection section.

Creating F5 SSL Orchestrator receive-only TAP services for traffic inspection

Before creating receive-only TAP services, F5 recommends you complete all required areas in the deployment settings. Refer to the Configuring deployment settings section of this document for more information.

Receive-only services only receive traffic for inspection and do not send the traffic back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic passing through the service to an inspection device. You can configure up to ten receive-only services using the F5 SSL Orchestrator configuration utility.

Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Services > TAP Services . The TAP Services screen opens.
  2. Click Create. The New TAP Services screen opens.
  3. In the Name field, type a name after the default prefix ssloS_.
  4. In the Description field, type a short description of the new TAP settings.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. From the IP Family list, select whether you want this configuration to support IPv4 or IPv6.
    You must configure IP addresses in the family you select for all IP address fields in this application.
  7. In the MAC Address field, type the MAC address of the receive-only device. This address must be reachable by a BIG-IP VLAN.
  8. From the VLAN list, select a VLAN option where the receive-only device resides or click Create New to create a new network VLAN.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the New TAP Services screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  9. From the Interface list, select the associated BIG-IP system interface.
  10. From the Service Down Action list, select how you want the system to handle a service failure or when it is otherwise unavailable. Select one of the following options:
    • Ignore: Specifies that the traffic to the service is ignored and is sent to the next in chain.
    • Reset: Specifies that the system immediately sends a RST on the client connection for TCP traffic. For UDP traffic, this action is the same.
    • Drop: Specifies that the system initiates a close on the client connection.
  11. In the Port Remap field, select the Enabled check box to specify you want to enable the port remap feature for inline services.
  12. In the Remap Port To field, type the remap port to number. It must be between 1 – 65535.
  13. In the IP Address field, the IP address is auto populated depending on the IP Family (IPv4 or IPv6) selected.
    Note: The TAP-service’s internally assigned IP Address, used for routing purposes, ensures that cloned traffic is sent out on the VLAN where the TAP-service resides.
  14. Click Finished.

You have now completed your TAP services settings. Next, to install default outbound interception rules, see the Installing default outbound interception rules section.

Installing default outbound interception rules

Before installing default outbound interceptin rules, F5 recommends you complete all required areas in the deployment settings and create all the services you require with supporting VLAN network settings. For more information, refer to the Configuring deployment settings and Create F5 SSL Orchestrator inline services sections in this document.
Using the SSL Orchestrator default outbound interception rules settings is recommended by F5 and allows you to:
  • Define your outbound proxy scheme settings to support Transparent, Explicit, or Transparent and Explicit proxy modes.
  • Simplify your security settings by creating both SSL and Per-Request Policy settings with pre-defined configurations for your outbound rule.
  • Simplify your ingress network VLAN settings with pre-defined configuration for your outbound rule.

In addition, by using the default outbound interception rules option, direct links are provided to set up SSL settings, per request policies, and network VLANs from within the default screen. When within the SSL settings, per request policies, and network VLANs screens, SSL Orchestrator auto-selects certain field settings so to further streamline your deployment setup.

Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
Note: Depending on the Interception Rules settings you configure, you may see only some of the screen elements described here.
  1. On the Main tab, click SSL Orchestrator > Interception Rules . The Interception Rules screen opens.
  2. Click Install Default Outbound Rules. The Install Default Outbound Rules screen opens.
  3. In the Deployment Name field, the name of your configured deployment created in the Deployment Settings screen is displayed.
  4. In the Description field, type a short description of your interception rule settings.
  5. In the Label field, the default setting Outbound is displayed.
  6. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  7. In the Deployed Network field, the network type (L2 Network or L3 Network) is selected based on your initial setup.
  8. From the IP Family list, the IP family setting you selected while configuring your Deployment Settings is displayed.
  9. From the Proxy Scheme list, select whether the system operates in transparent proxy mode, explicit proxy mode, or both.
    • Select Transparent Proxy for the system to operate in transparent proxy mode. The transparent proxy scheme can intercept all types of TLS and TCP traffic. It also processes UDP traffic and forwards all other types of traffic. The transparent proxy requires no client configuration modifications.
    • Select Transparent and Explicit Proxies for the system to operate in explicit and transparent proxy modes simultaneously. By selecting this option, you will see the Protocols field appear where you can select your L7 interception rule protocols.
    • Select Explicit Proxy for the system to operate in explicit proxy mode. The explicit proxy scheme supports only HTTP(S) per RFC2616. If you choose to configure an explicit proxy, assign a specific IP address and TCP port where the HTTP explicit-proxy clients connect.
    Note: When configuring a single device SSL Orchestrator transparent proxy in front of an explicit proxy, SSL Orchestrator can transparently intercept SSL traffic tunneled through an explicit proxy and selectively forward the decrypted user traffic through the security service chain for proper inspections. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic and sends to the explicit proxy. User traffic of certain categories may also be rejected by the BIG-IP or bypass the security inspections.
  10. In the Classify UDP field, the check box is selected by default so that the transparent-proxy mode manages TCP traffic but allows UDP traffic to pass through unexamined. You can choose to manage UDP as well as TCP traffic, for example, to redirect QUIC web connections to HTTPS or to send UDP traffic to a receive-only service.
  11. In the Allow non-UDP/non-TCP field, the check box is selected specifying that you want to pass non-TCP, non-UDP traffic unexamined, or to block traffic that is not TCP or UDP. By default, transparent-proxy mode blocks all non-TCP/UDP traffic, such as IPsec or SCTP.
  12. From the SSL list, select your SSL security setting or click Create New to create new SSL settings.
    Note: If you are creating new SSL settings, the SSL Management screen opens with the Forward Proxy field automatically selected as Enabled and greyed out so to match your task of installing a default outbound interception rule. Once you have completed your SSL settings and click Finished, SSL Orchestrator returns you to the Install Default Outbound Rules screen to continue your configuration.
    Note: If you create new SSL security settings, SSL Orchestrator will take you to the New SSL Settings screen to complete its creation before returning you to the Install Default Outbound Rules screen. For more information on creating new SSL settings, see the Configuring SSL security settings section.
  13. From the Per Request Policy list, select a per request policy or select Create New to open the New Policy screen where you can define TCP and UDP service chain details.
    Note: If you are creating a new per-request policy, the New Policy screen opens with the Available Services fields automatically pre-populated with the services you created after completing the deployment settings. Follow the task steps found in the Creating a new per-request policy section of this guide to complete your new policy settings. Once you have completed your new policy settings click Finished and SSL Orchestrator returns you to the Install Default Outbound Rules screen to continue your configuration.
    Note: If you create new per request policies, SSL Orchestrator will take you to the New Policy screen to complete its creation before returning you to the Install Default Outbound Rules screen. For more information on creating new per request policies, see the Configuring new per-request policies section.
  14. In the VLANs field, specify one of the available VLANs or click Create New to open the New Network VLANs screen where you can define new VLAN settings.
    Note: If you are configuring a new network VLAN, the New Network screen opens. Follow the task steps found in the Configuring network VLANs section of this guide to complete your new VLAN settings. Once you have completed your new VLAN settings click Finished and SSL Orchestrator returns you to the Install Default Outbound Rules screen to continue your configuration.
    Note: If you create a new network VLAN, SSL Orchestrator will take you to the New Network screen to complete its creation before returning you to the Install Default Outbound Rules screen. For more information on creating a new network VLAN, see the Configuring F5 SSL Orchestrator network VLANs section.
  15. In the Protocols field, select the L7 interception rule protocols you want selected (you must select Transparent and Explicit Proxies from the Proxy Scheme list to see this option):
    • FTP
    • IMAP
    • POP3
    • SMTP
    Note: Depending on the selected Protocols defined, once finishing your interception rule settings, you will see a list of the selected protocols populating the Interception Rules list screen table.
  16. Click Finished.
You have now completed installing your default outbound interception rule.
Note: To create an additional outbound rule, see the Creating a new outbound interception rule section in this guide. To create an inbound listener (reverse proxy), see the Creating a new inbound interception rule section in this guide. In addition, you can now manage your per-request policies by selecting a deployment from the interception rules list page ( SSL Orchestrator > Policies > Access Per-Request Policies ). For more information, see the Managing the F5 SSL Orchestrator basic deployment section.

Configuring SSL security settings

Before configuring your SSL security settings, F5 recommends you complete all required areas in the deployment settings and create all the services you require with supporting VLAN network settings. For more information, refer to the Configuring deployment settings and Create F5 SSL Orchestrator inline services sections in this document.
Note: F5 recommends that you create SSL settings inline (via the link) while on the Installing Default Outbound Rules screen which provides a tailored set of options and settings to help with simplified SSL management.

You can use the SSL settings screen to setup or manage your forward proxy (for outbound traffic) or reverse proxy (for inbound traffic) scenarios and setup and manage client and server ciphers, certificates and key configurations required to process SSL traffic.

Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > SSL Management > SSL Settings . The SSL Settings screen opens.
  2. Click Create. The New SSL Settings screen opens.
  3. In the Name field, type a name after the default prefix ssloT_.
  4. In the Description field, type a short description of the new SSL settings.
  5. In the Strict Update field, the check box is selected by default to protect the configuration settings.
    With this option selected, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. F5 recommends you keep this setting enabled to avoid misconfigurations that can result in an unusable application and F5's ability to support your product.
  6. In the Forward Proxy field, select or deselect the check box depending if you are creating or managing your forward proxy (for outbound traffic) or reverse proxy (inbound traffic) scenarios.
    • With this option Enabled you specify the forward proxy mode, which enables or disables SSL processing, regardless of whether the SSL profile is attached to a virtual server. Unchecking this box makes the SSL profile effectively invisible, so that it simulates having no SSL profile attached at all. The default is Enabled.
    • With this option deselected you specify the reverse proxy mode.
  7. From the Bypass on Handshake Alert list, you can enable or disable SSL forward proxy bypass on receiving a handshake failure, protocol version, or unsupported extension alert message during the server-side SSL handshake. When this occurs, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default is Disabled.
  8. From the Bypass on Client Cert Failure list, you can enable or disable SSL forward proxy bypass on failing to get client certificate that the server asks for. When this occurs, SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default is Disabled.
  9. In the Cipher Type field, specify the list of ciphers that the system supports by selecting Cipher Group. Select Cipher String for the default cipher list.
  10. In the Ciphers field, specify the ciphers that the system supports from the list. The default cipher list will display DEFAULT in the field.
  11. In the Certificate Key Chains field, specify one or more certificates and keys to associate with the SSL profile. Select a Certificate, Key, Chain, and Passphrase settings for the certificate key chain. If the key does not have a passphrase, leave the field empty. Once the definition exists, click Add.
  12. In the CA Certificate Key Chains field, specify one or more Certificate Authority (CA) certificates and keys to associate with the SSL profile. Select a Certificate, Key, Chain, and Passphrase settings for the certificate key chain. If the key does not have a passphrase, leave the field empty. Once the definition exists, click Add.
  13. In the Cipher Type field, specify the list of ciphers that the system supports, select Cipher Group. Select Cipher String for the default cipher list.
  14. In the Ciphers field, specify the ciphers that the system supports from the list. The default cipher list will display DEFAULT in the field.
  15. From the Trusted Certificate Authority list, select a client CA that the system trusts:
    • None: Specifies that no CA is trusted for client-side processing.
    • ca-bundle: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for client-side processing.
    • default: Specifies that the trusted CA for client-side processing is the default certificate on the system.
  16. From Expire Certificate Response Control list, instruct the system to drop or ignore the specified Certificate Response Control (CRL) file even if it has expired. The default is ignore.
  17. From the Untrusted Certificate Response Control list, instruct the system to drop or ignore the specified CRL file even if it not trusted. The default is ignore.
  18. From the OCSP list, select a configured Online Certificate System Protocol (OCSP) responder associated with a certificate to enable an OCSP request that updates certificate status. That way, you can monitor the status of certificates on the BIG-IP system using OCSP. OCSP responses are stored in a common cache so that they can be used for certificate status monitoring, OCSP Stapling, and for IPsec.
  19. From the CRL list, select a configured Certificate Revocation List associated with a certificate. Click Create New to configure a new CRL.
  20. Click Finished.
You have successfully configured your SSL security settings.

Creating new per-request policies

Before creating your per-request policy settings, F5 recommends you complete all required areas in the deployment settings and create all the services you require with supporting VLAN network settings. For more information, refer to the Configuring deployment settings and Create F5 SSL Orchestrator inline services sections in this document.

By creating TCP and UDP service chains, you determine which service chains receive traffic. Each service chain selects the specific chain to process ingress connections. Different policies may send connections to the same chain. Each policy has three filters that match the source IP address, the destination, and the application protocol. Filters can also overlap, so the best matching policy determines the service chain for a specific connection. In addition, policies can reject a connection or allow it to bypass the service chain. Finally, you can also choose to send decrypted or non-decrypted traffic to the inspection devices.

Note: When configuring a single device SSL Orchestrator transparent proxy in front of an explicit proxy, SSL Orchestrator can transparently intercept SSL traffic tunneled through an explicit proxy and selectively forward the decrypted user traffic through the security service chain for proper inspections. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic and sends to the explicit proxy. User traffic of certain categories may also be rejected by the BIG-IP or bypass the security inspections.
Note: Fields marked with a blue ribbon are required fields that must be completed before you can finish a task.
  1. On the Main tab, click SSL Orchestrator > Policies > Access Per-Request Policies . The Access Per-Request Policies screen opens.
  2. Click Create. The New Policy screen opens.
  3. In the Name field, type a name after the default prefix ssloP_.
  4. In the Intercept Chain fields, select any available services for your TCP service chain. Use the arrows to move any required services to the Selected Services field from the Available Service field.
  5. In the Non Intercept Chain fields, select any available services for your TCP service chain. Use the arrows to move any required services to the Selected Services field from the Available Service field.
  6. In the Service Chain Sequence fields, select any available services for your UDP service chain. Use the arrows to move any required services to the Selected Services field from the Available Service field.
  7. Click Finished.
You have now created a per-request policy. If you selected the per-request policy creation from within Installing default outbound interception rules screen, SSL Orchestrator takes you back to the Installing default outbound interception rules screen to complete your deployment.

To manage your SSL Orchestrator per-request policies, refer to the Managing the F5 SSL Orchestrator Basic Deployment chapter where you can use the SSL Orchestrator virtual policy editor (VPE) to manage the details of each policy created.