Original Publication Date: 12/11/2018
This release note documents the version 14.1.0-5.0 release of F5 Guided Configuration for SSL Orchestrator.
SSL Orchestrator standalone base license is supported on the following platforms:
|Platform name||Platform ID|
|i11800 Discovery Extreme||C123|
|High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including Viprion and VE):
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
F5 Guided Configuration for SSL Orchestrator version 14.0.0-5.0 contains significant architectural changes. F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version displays on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from devcentral.f5.com, then upload and install Guided Configuration for SSL Orchestrator. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor. You can also select an existing application topology, available for SSL Orchestrator addon licensed devices. This option is not available for standalone SSL Orchestrator devices.
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
The SSL Orchestrator VPE provides a dedicated screen on which to configure a per-request policy using visual elements. Policies you create during the configuration of your deployment are available within the VPE. Each element, or box, represents a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics are generated for the following dimensions:
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
|740438||Provide ability to deploy multiple explicit proxies via SSLO. In 5.0, SSLO provides topology based workflows. If there is a need to deploy multiple explicit proxies, a user would create multiple topologies and the SNAT settings would be correctly picked for them. This also applies for any other outbound topologies.|
|740970||Access Guided Configuration (AGC) menu was not appearing when SSL Orchestrator (SSLO) module was provisioned. Fix: AGC menu dependency on SSL Orchestrator provisioning was removed and the menu is now available.|
|738086||When a base configuration is reloaded, the box is reset and VLANs are removed. To create network objects, at least one VLAN is required. However, this also occurs when there is no VLAN present. Workaround: Manually create a VLAN if no VLAN is present.|
|739549||When choosing to deploy L2 outbound and L2 inbound deployment modes, user is allowed to configure a default gateway under System Settings. Workaround: Both Gateway and SNAT settings are globally configured but they will be ignored for L2 deployments.|
|745428||Deployment failed due to undefined error/interceptionrRule not correctly appearing on the list page. Workaround: Run "bigstart restart responded restjavad". If this does not address the issue, run "clear-rest-storage" and in TMSH run "delete sys application service recursive *" to thoroughly clear the storage so that the module restarts and issue is resolved.|
|746643||When a L3 or HTTP service is added while creating a new network, VLAN, and route domain for 'To Service', the pool member is not created with a custom route domain specified. Since the 'To Service' address and pool member created is in a different route domain, the service pool is always down and traffic does not go to the service but follows the service down action. Workaround: Add a pool member with the same route domain as the 'To Service' self IP address. Using TMSH, execute the following commands:
SSL Orchestrator version 5.0, when configured to allow un-trusted certificates, no longer caches those untrusted certificates by default, which can reduce performance for servers with untrusted certificates by approximately 12-19% as compared to BIG-IP version 14.0.0.
The drop in performance is by design to improve security by not caching untrusted certificates. This impacts only connections that come from servers with untrusted certificates, and impacts performance only if SSL Orchestrator allows those connections. It is suggested that you do not allow untrusted certificates at all, which provides significantly better security and solves this issue by not allowing the connections. If you must allow untrusted certificates, you can recapture the performance by using TMSH to disable the following sys db variable: tmm.ssl.servercert_softval. This forces SSL Orchestrator to cache certificates forged from untrusted sources.
The complete installation and upgrade instructions for F5 Guided Configuration for SSL Orchestrator version 14.1.0-5.0 can be found in the SSL Orchestrator: Setup version 14.1.0-5.0 guide.
To install the F5 Guided Configuration for SSL Orchestrator 14.1.0-5.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide. The Guided Configuration for SSL Orchestrator 5.0 image is packaged with the F5 BIG-IP 14.1.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
You can contact the Anti-Fraud SOC as follows:
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
|AskF5 Knowledge Base||
The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
|BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer||
BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.
Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.
|Communications Preference Center||
Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.