Manual Chapter : Topology

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 17.1.0
Manual Chapter

Topology

  • When using the Topology screen, you can set up SSL Orchestrator in an array of topologies that define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect.
    These deployment settings, which can be modified as needed without un-deploying a configuration, are complimented by SSL settings that assist you in defining inbound and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2 (L2)/Layer 3 (L3) inline, and receive-only/TAP services), creating your service chains and security policies that can be managed through a visual policy editor.
    Available topologies are based on your initial network setup. Topologies that are not supported by your network setup or licensing will not show as an enabled option.
    • L2 Inbound
      and
      L2 Outbound
      topologies are only available for supported L2 wire enabled networks.
    • L3 Inbound
      and
      L3 Outbound
      topologies are available for all supported networks.
    • L3 Explicit Proxy
      topology is only available when Protocol is set to either TCP or Any.
    • Existing Application
      topology is available for SSL Orchestrator addon licensed devices. This option is not available for standalone SSL Orchestrator devices.
    SSL Orchestrator provides the installation of default or custom outbound interception rules for greater support in defining your listeners and the flexibility to create your own outbound and inbound interception rules.
    You can specify the L3 Inbound mode as either
    Gateway
    or
    Application
    . L2 Inbound mode is
    Gateway
    only. Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment. Inbound Application mode enables address translation.
    L2/L3 Inbound Gateway and Application mode option
    :
    • L2 Inbound
      : Only
      Gateway
      mode is available with address translation disabled. In Interception Rule,
      Port
      defaults to 0 and
      Destination Address/Mask
      defaults to 0.0.0.0%0/0.
    • L3 Inbound
      : Select
      Gateway
      mode so address translation is disabled. In Interception Rule,
      Port
      defaults to 0 and
      Destination Address/Mask
      defaults to 0.0.0.0%0/0. Or, select
      Application
      mode so address translation is enabled. In Interception Rule, specify
      Port
      and
      Destination Address/Mask
      values.
    Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment.
    In L2 or L3 Inbound
    Gateway
    mode, the
    Verified Accept
    check box appears on the Interception Rule screen in
    Advanced Settings
    .
    When upgrading from previous releases, if SSL Orchestrator inbound topology had:
    • L2 inbound topologies, it will map to
      Gateway
      mode.
    • Port set to a number that is not 0, it will map to
      Application
      mode.
    • Port set to 0 and no LB pool attached, it will map to
      Gateway
      mode.
    • Port set to 0, with LB Pool attached, a specific mode will not be mapped. The admin can determine if
      Gateway
      or
      Application
      mode should be selected for that topology using the
      Mode
      option in the UI.
After upgrading an L2 Inbound deployment, the Gateway mode is automatically set. However, you cannot use the Inbound Gateway mode feature unless you manually edit the topology by selecting the
Enable Inbound Gateway Feature
check box or manually associate the corresponding
-gw_in_t
and
-lib
iRules in SSL Orchestrator (in the Interception Rule step) or using TMUI/TMSH (virtual server).
Enabling the inbound gateway feature ensures that non-SSL and non-HTTP traffic can be forwarded. In addition, L7 protocol, identified as outbound deployment, and HTTP traffic, can be forwarded and L7 protocol identified as HTTP while also handling server-speak-first traffic (e.g. IMAP). Enabling this feature may break current custom iRules.
After upgrading, you can update an existing L3 Inbound deployment in either
Gateway
or
Application
mode if you did not select the inbound mode value set by the upgrade. For example, if your inbound topology has not yet been manually modified, an "i" icon appears in front of the name of your deployment. Mouse over the icon for more information and make edits by clicking on the name. In addition, an
Enable Inbound Gateway Feature
check box may appear. By selecting it, the corresponding iRules, -
gw_in_t
and
-lib
, will be attached to this topology. This is a one-time action.