F5 Logo MyF5
Search
  1. MyF5 Home
  2. F5 Guided Configuration for SSL Orchestrator: Setup 17.1-11.0
  3. SSL Orchestrator Guided Configuration
  4. Topology
Manual Chapter : Topology

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 17.1.0
Manual Chapter

Topology

  • When using the Topology screen, you can set up SSL Orchestrator in an array of topologies that define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect.
    These deployment settings, which can be modified as needed without un-deploying a configuration, are complimented by SSL settings that assist you in defining inbound and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2 (L2)/Layer 3 (L3) inline, and receive-only/TAP services), creating your service chains and security policies that can be managed through a visual policy editor.
    Available topologies are based on your initial network setup. Topologies that are not supported by your network setup or licensing will not show as an enabled option.
    • L2 Inbound
       and
      L2 Outbound
       topologies are only available for supported L2 wire enabled networks.
    • L3 Inbound
       and
      L3 Outbound
       topologies are available for all supported networks.
    • L3 Explicit Proxy
       topology is only available when Protocol is set to either TCP or Any.
    • Existing Application
       topology is available for SSL Orchestrator addon licensed devices. This option is not available for standalone SSL Orchestrator devices.
    SSL Orchestrator provides the installation of default or custom outbound interception rules for greater support in defining your listeners and the flexibility to create your own outbound and inbound interception rules.
    You can specify the L3 Inbound mode as either
    Gateway
     or
    Application
    . L2 Inbound mode is
    Gateway
     only. Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment. Inbound Application mode enables address translation.
    L2/L3 Inbound Gateway and Application mode option
    :
    • L2 Inbound
      : Only
      Gateway
       mode is available with address translation disabled. In Interception Rule,
      Port
       defaults to 0 and
      Destination Address/Mask
       defaults to 0.0.0.0%0/0.
    • L3 Inbound
      : Select
      Gateway
       mode so address translation is disabled. In Interception Rule,
      Port
       defaults to 0 and
      Destination Address/Mask
       defaults to 0.0.0.0%0/0. Or, select
      Application
       mode so address translation is enabled. In Interception Rule, specify
      Port
       and
      Destination Address/Mask
       values.
    Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment.
    In L2 or L3 Inbound
    Gateway
     mode, the
    Verified Accept
     check box appears on the Interception Rule screen in
    Advanced Settings
    .
    When upgrading from previous releases, if SSL Orchestrator inbound topology had:
    • L2 inbound topologies, it will map to
      Gateway
       mode.
    • Port set to a number that is not 0, it will map to
      Application
       mode.
    • Port set to 0 and no LB pool attached, it will map to
      Gateway
       mode.
    • Port set to 0, with LB Pool attached, a specific mode will not be mapped. The admin can determine if
      Gateway
       or
      Application
       mode should be selected for that topology using the
      Mode
       option in the UI.
After upgrading an L2 Inbound deployment, the Gateway mode is automatically set. However, you cannot use the Inbound Gateway mode feature unless you manually edit the topology by selecting the
Enable Inbound Gateway Feature
 check box or manually associate the corresponding
-gw_in_t
 and
-lib
 iRules in SSL Orchestrator (in the Interception Rule step) or using TMUI/TMSH (virtual server).
Enabling the inbound gateway feature ensures that non-SSL and non-HTTP traffic can be forwarded. In addition, L7 protocol, identified as outbound deployment, and HTTP traffic, can be forwarded and L7 protocol identified as HTTP while also handling server-speak-first traffic (e.g. IMAP). Enabling this feature may break current custom iRules.
After upgrading, you can update an existing L3 Inbound deployment in either
Gateway
 or
Application
 mode if you did not select the inbound mode value set by the upgrade. For example, if your inbound topology has not yet been manually modified, an "i" icon appears in front of the name of your deployment. Mouse over the icon for more information and make edits by clicking on the name. In addition, an
Enable Inbound Gateway Feature
 check box may appear. By selecting it, the corresponding iRules, -
gw_in_t
 and
-lib
, will be attached to this topology. This is a one-time action.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information