Terminology for F5 Guided Configuration for SSL Orchestrator

This implementation requires a Certificate Authority PKI (public key infrastructure) certificate and matching private key for SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign server certificates.

An inspection zone refers to the network region between separate ingress and egress BIG-IP devices where cleartext data is available for inspection. Basically, an extra inline service can be placed at the end of every service chain for additional inspection. You cannot configure a decrypt zone in the scenario where a single BIG-IP system handles both ingress and egress traffic because the inspection zone does not exist.

F5 Guided Configuration for SSL Orchestrator is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup.

The current version displays on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from devcentral.f5.com, then upload and install it Guided Configuration for SSL Orchestrator link.

To go to the landing page, save any work you have done in the right pane before you click

SSL Orchestrator

Configuration

, or click the

Home

icon in the menu steps.

See the

Setting up F5 Guided Configuration for SSL Orchestrator

section for detailed steps on installing and upgrading to the newest version.

You can configure inline HTTP explicit proxy (EP) or transparent proxy (TP) settings with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. Using SSL Orchestrator, the inline proxy device can be in either transparent or explicit mode, irrespective of SSL Orchestrator's mode.

Each ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic to one or more Content Adaptation device(s) for inspection and possible modification. You can add an ICAP service to any TCP service chain, but only HTTP traffic is sent to it, as we do not support ICAP for other protocols. You can configure up to ten ICAP services using F5 SSL Orchestrator™.

Inline services pass traffic through one or more service (inspection) devices at Layer2 (MAC)/Bump-in-the-wire or Layer3 (IP). Each service device communicates with the SSL Orchestrator device over two VLANs called

Inward

and

Outward

which carry traffic toward the intranet and the Internet respectively. You can configure up to ten inline services, each with multiple defined devices, using SSL Orchestrator.

Receive-only services refer to services that only receive traffic for inspection, and do not send it back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g. plaintext) passing through it to an inspection device. You can configure up to ten receive-only services using SSL Orchestrator.

The SSL Orchestrator uses a visual per-request policy engine, or Visual Policy Editor (VPE), to define traffic flows through the security services. Security policies are available within the VPE with each element, or box, representing a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.

SSL Orchestrator service chains process specific connections based on rules which look at protocol, source and destination addresses, and so on. These service chains can include five types of services (HTTP services, Layer 2 inline services, Layer 3 inline services, receive-only/TAP services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices.

A SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on the external network. A SNAT pool is a pool of translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.

By selecting the strict update option (on the Guided Configuration Welcome screen in a column labled

Protected/Unprotcted Configurations

) for deployed configurations, you cannot manually modify any settings produced by the application. Once you disable this option (click on the lock symbol), you can manually change your configuration. F5 recommends you keep this setting enabled (locked) to avoid misconfigurations that can result in an unusable application and limit F5's ability to support your product. The strict update check box is enabled/selected by default.

A Sync-Failover device group (part of the Device Service Clustering (DSC®) functionality) contains BIG-IP devices that synchronize their configuration data and failover to one another when a device becomes unavailable. In this configuration, a Sync-Failover device group supports a maximum of two devices.

You can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal communication without requiring any special client configuration; clients are unaware of the proxy in the network. In this implementation, the transparent proxy scheme can intercept all types of TLS and TCP traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme supports only HTTP(S) per RFC2616. In addition, transparent proxy supports direct routing for policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) that are dependent on networking services to support both protocols, while explicit proxy supports manual browser settings for proxy auto-config (PAC) and Web Proxy Autodiscovery Protocol (WPAD) that require additional iRule configurations (not included) to provide the PAC/WPAD script content.