Applies To:

Show Versions Show Versions

Release Note: F5 Herculon SSL Orchestrator Release Notes version 13.0.0-2.3
Release Note

Original Publication Date: 10/18/2017

Summary:

This release note documents the version 13.0.0-2.3 release of F5 Herculon SSL Orchestrator.

Contents:

- Platform support
- Herculon SSL Orchestrator configuration utility browser support
- Herculon SSL Orchestrator configuration utility version
- User documentation for this release
- Features in version 13.0.0-2.3
- Fixes in version 13.0.0-2.3
- Behavior changes in version 13.0.0-2.3
- Known issues
- Contacting F5 Networks
- Legal notices

Platform support

This version of Herculon SSL Orchestrator is supported on the following platforms:

Platform name Platform ID
Herculon i2800 C120
Herculon i5800 C121
Herculon i10800 C122
Note: The supported platform information applies to the most recent release version.
Note: vCMP is currently not supported on these platforms.

The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:

  • URLF Filtering-Subscription
  • IPI-Subscription
  • Network HSM

For more information about purchasing other module licenses, contact your F5 Sales representative.

Herculon SSL Orchestrator configuration utility browser support

The configuration utility acts as the template for Herculon SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

Herculon SSL Orchestrator configuration utility version

This is the Herculon SSL Orchestrator version 13.0.0 with configuration utility version 2.3 release.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the F5 Herculon SSL Orchestrator 13.0.0 Documentation page.

Features in version 13.0.0-2.3

F5 Herculon SSL Orchestrator

Herculon SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Dynamic Service Chaining

Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Deployment Modes

Herculon SSL Orchestrator provides multiple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • Separate ingress and egress devices mode
  • Single high availability (HA) cluster mode
  • Separate ingress cluster and egress cluster mode

Herculon SSL Orchestrator Diagnostic

Diagnostically monitor each device configuration deployment and undeployment, whether you are deploying a single device or multiple devices in a HA device group. An application status message displays above the network diagram indicating whether your device, or device group, successfully deployed or suffered an error. The Diagnostic screen displays the current device's deployment information and assists in further diagnosing any issues.

Import and Export Configuration Settings for Deployment

Herculon SSL Orchestrator provides both import and export capabilities so you can deploy previously successful configurations to resolve specific configuration issues or deploy into any Herculon SSL Orchestrator environment. When importing past configurations, you can use the roll back capability by selecting a previously saved, or imported, JSON file. You can also export previously successful deployment configurations as JSON files to use in any Herculon SSL Orchestrator environment.

Fixes in version 13.0.0-2.3

ID number Description
626198 Creating a TCP service chain classifier using IPv6 subnet mask fails.
632509 SSL Orchestrator always fails during the first connection when a remote server requests a client certificate and SSL Orchestrator is configured to bypass interception for server-issued client certificate requests (for example, the browser page will not load the first time). The SSL Orchestrator configuration utility iRules is updated so it can detect the connection failure caused by the server request for a client certificate and to re-establish a bypassed connection to the server.
644820 The service chain's member list (any receive-only, ICAP, or inline service) does not update when a service name is modified. This results in a traffic failure.
644838 Deleting a first classifier rule does not delete a complete row. Deleting the first classifier rule only deletes the name of that row. Other attributes of that row still exist. The name of the row below moves up in its place (creating a mismatch). This issue causes the wrong classifier rule configuration and all rules then need to be deleted and reconfigured again. Now, all data successfully deletes together and the row below properly moves up with the correct configuration. In addition, the deletion will not cause any incorrect configuration of rules to appear.
645662 When a server certificate is cached, the connection receives a 302 redirect HTTP response since client software frequently gets redirect responses to a website due to the server having multiple IP addresses.
648277 Passing IPv6 traffic, and using IPv6 services for SSL Orchestrator, is not possible. Now, IPv6 support for SSL Orchestrator is possible, allowing the user to pass through IPv6 traffic and orchestrate IPv6 devices into the service chain.
653982 SSL Orchestrator provides insufficient user visible information when the HA deployment fails.
655468 SSL Orchestrator inline service virtual server blocks traffic since the mask is 255.255.255.255. By unchecking the strict updates in general properties and manually changing the inline service virtual server mask to Any/Any6, the traffic is no longer blocked.
662174 New application status messages are insufficient when restnoded is restarting. This results in odd system behavior when attempting to install a new RPM or just restart restnoded and refresh the SSL Orchestrator UI. In turn, this can cause the user to refresh, or restart, the server many times, delaying the loading of new functionality. To address this issue, proper notification for the user has been added indicating that the server is trying to connect or is unresponsive.
664041

When switching between egress and ingress configurations, the Deploy button can become enabled when required fields in the General Properties configuration utility have not been completed and are left empty. Clicking Deploy results in an application with incomplete information and causes a deployment error.

664503 SSL Orchestrator configuration utility details are being automatically reversed while deploying the application for these two fields:
  • Should connections to servers with expired certificates be allowed?
  • Should connections to servers with untrusted certificates be allowed?
The default value mapping mention in the JSON file has been updated so that the correct value is deployed and does not change.
665262 Selecting Support IPv6 only, or Both IPv4 and IPv6, for the SSL Orchestrator IP address family while selecting Implement explicit proxy only scheme causes the deployment to fail. To address this issue, the mcp object was changed to be correctly used for IPv6 explicit proxy mode deployment.
665506 BIG-IP LTM virtual does not route SSL traffic if the destination address is a single IPv6 host. When using IPv6 with a BIG-IP device as a load balancer, you must disable ARP and ICMP on the virtual IP address. Note: If you are using IPv4, ARP and ICMP can remain set to enabled.

Behavior changes in version 13.0.0-2.3

ID Number Description
659753 Certificate Validation: When the default settings for the configuration utility were used and a certificate's private key was known, a malfunctioning true/false association caused the deployed configuration data to be incorrect. The true/false association in this default settings scenario is fixed and the user's deployment now maintains the correct configuration.

Known issues

ID number Description
643713 When the service chain has ICAP, SSL Orchestrator IMAPS traffic hangs until it times out. Workaround: Create a service chain without ICAP and create a rule matching the IMAPS traffic to this service chain.
654840 ICAP can fail with non-standard port HTTPS traffic. The system fails to correctly send HTTP traffic to ICAP server if it uses a non-standard port (other than 80/443/8080) in certain cases. There is only one service in the chain and traffic is not monitored by the ICAP service (although it is still forwarded to the web server). Workaround: Make sure there are at least two services in a chain that might handle HTTP on non-standard ports. At the minimum, create a dummy read-only interface.
665295 RPM sync does not occur properly for a HA pair. This occurs when the package is not cleaned up and is installed prior to HA setup. After upgrading the package, the HA pair breaks and the application status does not send a notification. This also occurs if the application is deployed/redeployed during this time and it gets stuck. The steps normally followed:
  1. Apply BIG-IP LTM+SSL_FWDP or SSL Orchestrator license on 2 (Device1 and Device2) devices meant to be used in HA.
  2. Set up manual sync for HA and make sure both devices are in sync.
  3. Uninstall the existing SSL Orchestrator package (if it exists) from both Device1 and Device2 through the UI at SSL Orchestrator > Updates (or through the configuration utility menu).
  4. Upload or select onbox SSL Orchestrator RPM and install it using the UI at SSL Orchestrator > Updates .
If step 3 is missed, even though the SSL Orchestrator RPM package on both devices is same (they have identical name, version and release), Gossip does not sync successive application updates or package upgrades. The application status will fail and the application may not receive deploy/undeploy at that time. Workaround: Only install the SSL Orchestrator configuration utility package on one of the two BIG-IP devices before joining them. In addition, you can run these two commands on a given device: restcurl /shared/iapp/global-installed-packages -X DELETE restcurl /shared/gossip -d '{"copyStateFrom":"2<bigip>"}'
668492 SSL Orchestrator is not working with ICAP servers configured with IPv6. The system does not allow IPv6 traffic to return from an ICAP service, and SSL Orchestrator translates traffic to IPv4, or IPv6, as needed to pass through a service configured with a different address family (if a common family is not available). An ICAP service is configured using an IPv6 address. If a request is received using IPv6, and if only IPv6 ICAP servers are configured, all ICAP traffic is rejected. If IPv4 and IPv6 servers are configured, only IPv6 traffic is rejected. If only IPv4 ICAP servers are configured, no traffic is rejected. Chains selected that contain ICAP servers configured with IPv6 addresses also fail. Workaround: The process of translating IPv6 to IPv4 will add additional load to the system. However, this should not be significant during normal operation.
671084 The inline service does not see the original port from the client side.
674193 Using IPv6 in SSL Orchestrator with an explicit proxy causes the connection to fail.

Contacting F5 Networks

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)