F5 Logo MyF5
Search
  1. MyF5 Home
  2. F5 Guided Configuration for SSL Orchestrator: Setup 17.1.1-11.1
  3. SSL Orchestrator Guided Configuration
  4. Services
Manual Chapter : Services

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 17.1.1
Manual Chapter

Services

The Service screen allows you to create services such as HTTP, ICAP, Layer 2 and Layer 3 inline, receive only TAP, and F5 services.
  • Inline HTTP
    : You can configure inline HTTP explicit or transparent proxy settings with SSL Orchestrator configured as either an explicit or transparent proxy for extended SSL visibility and existing or new deployments. Using SSL Orchestrator, you can support multiple explicit and transparent proxy configurations such as: SSLO Explicit proxy with in-line explicit proxy as a service (EP-EP); SSLO Transparent proxy with in-line explicit proxy as a service (TP-EP); SSLO Explicit proxy with in-line transparent proxy as a service (EP-TP); SSLO Transparent proxy with in-line transparent proxy as a service (TP-TP).
  • ICAP
    : Each ICAP service uses the Internet Content Adaptation Protocol (ICAP) RFC3507 protocol to refer HTTP traffic to one or more Content Adaptation devices for inspection and possible modification. You can configure the ICAP services that are a part of this configuration.
  • Layer 2 and Layer 3 inline
    : Inline services pass traffic through one or more service devices at Layer 2 (LAN) or Layer 3 (IP). Each service device communicates with the BIG-IP device on the ingress side over two VLANs called Inward and Outward that carry traffic toward the intranet and the Internet, respectively.
    When you configure an L3 or HTTP service, you can also create service control channels that allow a security device to communicate with external devices if required. You can create multiple service control channels. When you deploy a service configuration with a service control channel, the required destination-side listener (a virtual server) is created, and it is auto-bound to the destination-side VLAN of the service
    • Service control channels are enable to allow a security service to communicate directly with external resources. This is typically needed, for example, when a proxy device needs to make DNS queries, or a security device needs to contact a license server, or get malware signature updates. Under normal conditions, without service channels, traffic originating from the security device is not able to traverse the SSL Orchestrator service chain. The service control channel defines a combination of source and destination IP, port, and protocol matches to allow for specific service-initiated flows to bypass the service chain.
    • You should ensure not to define these filters too wide, so that regular client-server traffic does not unintentionally pass through the service control channel. For example, setting the source to a wildcard (0.0.0.0/0) and destination port to 80, might incorrectly allow HTTP client-server traffic to enter the service chain, but attempt to exit through the service control channel. A common pattern would be to define the IP address of the service itself as the source address, assuming the service does not SNAT traffic passing through it. In that case, the service control channel would only catch traffic originating from the security service.
  • TAP
    : TAP services only receive traffic for inspection, and do not send it back to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (for example, plaintext), passing through it to an inspection device.
  • F5
    : F5 tab lists F5's internal products as services. Deploy these services to suit your categorization, classification, and content inspection needs for encrypted traffic. The available services are F5 Secure Web Gateway, F5 Office 365 Tenant Restrictions, and F5 Advanced Web Application Firewall.
    The F5 Secure Web Gateway (SWG) service allows you to take an existing F5 SWG solution and migrate or move it to the same BIG-IP as SSL Orchestrator. Selecting this service helps provide visibility, orchestration, categorization, and classification for, all encrypted traffic traversing your network, both inbound and outbound. You can manage web access across your organization with URL categorization. This allows you to enforce organizational policies against access to specific content, prevent access to potentially malware-laden websites and apps, or stop bandwidth chokers, among other uses. On configuring the F5 SWG service you can add the newly created SWGaaS to an existing Service Chain or create a new one.
    The F5 Office 365 Tenant Restrictions service provides a mechanism to allow or deny access to O365 resources based on organizational requirements. You will require your organization's
    Restrict-Access-To-Tenants
     and
    Restrict-Access-Context
     values to be inserted into HTTP headers. You can obtain the Tenant Domain and Tenant ID values from the Microsoft Azure portal by signing in as the Administrator. Click Office 365 Tenant Restrictions for detailed information on Tenant Restrictions.
    The
    F5 Advanced Web Application Firewall (On-Box)
     service allows you to configure and deploy Advanced Web Application Firewall profiles through the SSL Orchestrator interface for all topologies. The Advanced WAF service and SSL Orchestrator run on the same device. On configuring the service, you can validate it as a service chain object. For this configuration, you should have Application Security Manager (ASM), and Advanced Web Application Firewall (WAF) profile(s) configured, licensed, and provisioned on BIG-IP.
    In
    F5 Advanced Web Application Firewall (Off-Box)
     service configuration, the Advanced WAF service and SSL Orchestrator run on separate devices. The Advanced WAF services are delegated to the Advanced WAF devices specified in the Security Devices list. All policies related to the firewall are configured on the Advanced WAF devices. On deployment, the deployed policies, associated profiles such as connector and service profiles, virtual servers, and other respective objects are created on the SSL Orchestrator device.
In scenarios where a security service operates outside a secure enclave, the decrypted traffic may have to traverse a network to reach the security device. To manage this traffic securely and mitigate the potential risks, you can re-encrypt the traffic to an HTTP, ICAP, L3 Inline, or AWAF Off-box Service. During service configuration you can select the required the Server SSL and Client SSL Profiles in the
Re-encrypt on service entry
 and
Decrypt on service return
 fields for the re-encryption and decryption, respectively.
To use a previously created service, select the check box next to the name of the desired service type and click
Save & Next
. You can edit any previously created service by clicking directly on the name. To create a new service, click
Add Service
.
Only the services created as part of this workflow can be deleted.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information