Original Publication Date: 10/18/2017
This release note documents the version 13.0.0-2.3 release of F5 Herculon SSL Orchestrator.
This version of Herculon SSL Orchestrator is supported on the following platforms:
The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:
For more information about purchasing other module licenses, contact your F5 Sales representative.
The configuration utility acts as the template for Herculon SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:
This is the Herculon SSL Orchestrator version 13.0.0 with configuration utility version 2.3 release.
For a comprehensive list of documentation that is relevant to this release, refer to the F5 Herculon SSL Orchestrator 13.0.0 Documentation page.
Herculon SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Dynamic Service Chaining processes specific connections based on
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:
Diagnostically monitor each device configuration deployment and
Herculon SSL Orchestrator provides both import and export capabilities so you can deploy previously successful configurations to resolve specific configuration issues or deploy into any Herculon SSL Orchestrator environment. When importing past configurations, you can use the
|626198||Creating a TCP service chain classifier using IPv6 subnet mask fails.|
|632509||SSL Orchestrator always fails during the first connection when a remote server requests a client certificate and SSL Orchestrator is configured to bypass interception for server-issued client certificate requests (for example, the browser page will not load the first time). The SSL Orchestrator configuration utility iRules is updated so it can detect the connection failure caused by the server request for a client certificate and
|644820||The service chain's member list (any receive-only, ICAP, or inline service) does not update when a service name is modified. This results in a traffic failure.|
|644838||Deleting a first classifier rule does not delete a complete row. Deleting the first classifier rule only deletes the name of that row. Other attributes of that row still exist. The name of the row below moves up in its place (creating a mismatch). This issue causes the wrong classifier rule configuration and all rules then need to be deleted and reconfigured again. Now, all data successfully deletes together and the row below properly moves up with the correct configuration. In addition, the deletion will not cause any incorrect configuration of rules to appear.|
|645662||When a server certificate is cached, the connection receives a 302 redirect HTTP response since client software frequently gets redirect responses to a website due to the server having multiple IP addresses.|
|648277||Passing IPv6 traffic, and using IPv6 services for SSL Orchestrator, is not possible. Now, IPv6 support for SSL Orchestrator is possible, allowing the user to pass through IPv6 traffic and orchestrate IPv6 devices into the service chain.|
|653982||SSL Orchestrator provides insufficient
|655468||SSL Orchestrator inline service virtual server blocks traffic since the mask is 255.255.255.255. By unchecking the strict updates in general properties and manually changing the inline service virtual server mask to Any/Any6, the traffic is no longer blocked.|
|662174||New application status messages are insufficient when
When switching between egress and ingress configurations, the Deploy button can become enabled when required fields in the General Properties configuration utility have not been completed and are left empty. Clicking Deploy results in an application with incomplete information and causes a deployment error.
|664503||SSL Orchestrator configuration utility details are being automatically reversed while deploying the application for these two fields:
|665262||Selecting Support IPv6 only, or Both IPv4 and IPv6, for the SSL Orchestrator IP address family while selecting Implement explicit proxy
|665506||BIG-IP LTM virtual does not route SSL traffic if the destination address is a single IPv6 host. When using IPv6 with a BIG-IP device as a load balancer, you must disable ARP and ICMP on the virtual IP address. Note: If you are using IPv4, ARP and ICMP can remain set to enabled.|
|659753||Certificate Validation: When the default settings for the configuration utility were used and a certificate's private key was known, a malfunctioning true/false association caused the deployed configuration data to be incorrect. The true/false association in this default settings scenario is fixed and the user's deployment now maintains the correct configuration.|
|643713||When the service chain has ICAP, SSL Orchestrator IMAPS traffic hangs until it times out. Workaround: Create a service chain without ICAP and create a rule matching the IMAPS traffic to this service chain.|
|654840||ICAP can fail with non-standard port HTTPS traffic. The system fails to correctly send HTTP traffic to ICAP server if it uses a non-standard port (other than 80/443/8080) in certain cases. There is only one service in the chain and traffic is not monitored by the ICAP service (although it is still forwarded to the web server). Workaround: Make sure there are at least two services in a chain that might handle HTTP on non-standard ports. At the minimum, create a dummy read-only interface.|
|665295||RPM sync does not occur properly for
|668492||SSL Orchestrator is not working with ICAP servers configured with IPv6. The system does not allow IPv6 traffic to return from an ICAP service, and SSL Orchestrator translates traffic to IPv4, or IPv6, as needed to pass through a service configured with a different address family (if a common family is not available). An ICAP service is configured using an IPv6 address. If a request is received using IPv6, and if only IPv6 ICAP servers are configured, all ICAP traffic is rejected. If IPv4 and IPv6 servers are configured, only IPv6 traffic is rejected. If only IPv4 ICAP servers are configured, no traffic is rejected. Chains selected that contain ICAP servers configured with IPv6 addresses also fail. Workaround: The process of translating IPv6 to IPv4 will add additional load to the system. However, this should not be significant during normal operation.|
|671084||The inline service does not see the original port from the client side.|
|674193||Using IPv6 in SSL Orchestrator with an explicit proxy causes the connection to fail.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.