Manual Chapter : Topology

Applies To:

F5 SSL Orchestrator

  • 21.0.0
back-action SSL Orchestrator Guided Configuration

Topology

  • When using the Topology screen, you can set up SSL Orchestrator in an array of topologies that define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect.

    These deployment settings, which can be modified as needed without un-deploying a configuration, are complimented by SSL settings that assist you in defining inbound and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2 (L2)/Layer 3 (L3) inline, and receive-only/TAP services), creating your service chains and security policies that can be managed through a visual policy editor.

    Available topologies are based on your initial network setup. Topologies that are not supported by your network setup or licensing will not show as an enabled option.

    • L2 Inbound and L2 Outbound topologies are only available for supported L2 wire enabled networks.
    • L3 Inbound and L3 Outbound topologies are available for all supported networks.
    • L3 Explicit Proxy topology is only available when Protocol is set to either TCP or Any.
    • Existing Application topology is available for SSL Orchestrator addon licensed devices. This option is not available for standalone SSL Orchestrator devices. SSL Orchestrator provides the installation of default or custom outbound interception rules for greater support in defining your listeners and the flexibility to create your own outbound and inbound interception rules.

    You can specify the L3 Inbound mode as either Gateway or Application. L2 Inbound mode is Gateway only. Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment. Inbound Application mode enables address translation.

    L2/L3 Inbound Gateway and Application mode option:

    • L2 Inbound: Only Gateway mode is available with address translation disabled. In Interception Rule, Port defaults to 0 and Destination Address/Mask defaults to 0.0.0.0%0/0.
    • L3 Inbound: Select Gateway mode so address translation is disabled. In Interception Rule, Port defaults to 0 and Destination Address/Mask defaults to 0.0.0.0%0/0. Or, select Application mode so address translation is enabled. In Interception Rule, specify Port and Destination Address/Mask values. Inbound Gateway mode ensures non-SSL and non-HTTP traffic is forwarded and L7 protocols are identified as an outbound deployment.

    Note: In L2 or L3 Inbound Gateway mode, the Verified Accept check box appears on the Interception Rule screen in Advanced Settings.

    When upgrading from previous releases, if SSL Orchestrator inbound topology had:

    • L2 inbound topologies, it will map to Gateway mode.
    • Port set to a number that is not 0, it will map to Application mode.
    • Port set to 0 and no LB pool attached, it will map to Gateway mode.
    • Port set to 0, with LB Pool attached, a specific mode will not be mapped. The admin can determine if Gateway or Application mode should be selected for that topology using the Mode option in the UI.

Note: After upgrading an L2 Inbound deployment, the Gateway mode is automatically set. However, you cannot use the Inbound Gateway mode feature unless you manually edit the topology by selecting the Enable Inbound Gateway Feature check box or manually associate the corresponding -gw_in_t and -lib iRules in SSL Orchestrator (in the Interception Rule step) or using TMUI/TMSH (virtual server).

Enabling the inbound gateway feature ensures that non-SSL and non-HTTP traffic can be forwarded. In addition, L7 protocol, identified as outbound deployment, and HTTP traffic, can be forwarded and L7 protocol identified as HTTP while also handling server-speak-first traffic (e.g. IMAP). Enabling this feature may break current custom iRules.

Note: After upgrading, you can update an existing L3 Inbound deployment in either Gateway or Application mode if you did not select the inbound mode value set by the upgrade. For example, if your inbound topology has not yet been manually modified, an “i” icon appears in front of the name of your deployment. Mouse over the icon for more information and make edits by clicking on the name. In addition, an Enable Inbound Gateway Feature check box may appear. By selecting it, the corresponding iRules, -gw_in_t and -lib, will be attached to this topology. This is a one-time action.

Parent topic: SSL Orchestrator Guided Configuration