Manual Chapter :
Discovering and importing SSL Orchestrator on BIG-IQ
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Discovering and importing SSL Orchestrator on BIG-IQ
BIG-IQ SSL Orchestrator overview
F5 SSL Orchestrator (SSLO) provides an all-in-one appliance solution
designed to optimize the SSL infrastructure, provide security devices with visibility of
SSL/TLS encrypted traffic, and maximize the efficient use of that existing security
investment.
This solution centralizes and consolidates SSL inspection across complex
security architectures, allowing you flexible configuration and deployment options to
decrypt and re-encrypt user traffic across multiple devices. It supports policy-based
management and steering of traffic flows to third-party security devices, intrusion
prevention systems (IPS), anti-malware, data loss prevention (DLP), and many other
forensics tools. It provides a wide range of SSL Orchestration analytics that you can
easily customize based on the preferences that you set and manage. SSLO is also designed to
work autonomously; that is, you can use the full SSLO feature set on your BIG-IP devices
without having to also install and provision the BIG-IP Access Policy Manager (APM) and
BIG-IP Local Traffic Manager (LTM) services.
How do I start managing SSL Orchestrator from BIG-IQ?
To manage SSL Orchestrator (SSLO) from BIG-IQ Centralized Management, BIG-IQ must be managing the BIG-IP devices running SSLO. To start managing a BIG-IP device, you must add it to the BIG-IP Devices in the BIG-IQ Centralized Management's inventory list.
There are a few ways you can add BIG-IP and BIG-IP VE devices to your BIG-IQ system so you can start managing them.
- Add a BIG-IP or BIG-IP VE device located in your network, specify its configuration options, and import its services all in one step in a process called onboarding.
- Add a BIG-IP VE device located in a third-party cloud environment, then onboard it.
- Add one or more BIG-IP device(s) located in your network, and discover and import its services in a separate procedure.
You cannot discover the SSL Orchestrator service from multiple BIG-IP devices at once. This service must be discovered from one BIG-IP device at a time.
Discover SSL Orchestrator configurations
Before initiating the BIG-IQ discovery process, make sure that the BIG-IP configuration that you want to discover is accurate and up to date, and that you are managing the BIG-IP device running the service.
You discover SSL Orchestrator (SSLO) configurations from your managed BIG-IP devices to ensure consistent configurations across managed BIG-IP devices.
- On BIG-IQ, clickDevices.
- On the left, clickBIG-IP Devices.If you are adding a new managed device, use the popup to select the services that you want to discover.The screen displays a list of managed devices for this BIG-IQ Centralized Management system.
- Under Device Name, select the BIG-IP device running the SSL Orchestrator service configuration that you want to discover.
- SelectSERVICESand scroll down to SSL Orchestrator at the bottom of the page.
- To discover the SSL Orchestrator service that you want to manage on BIG-IQ, clickDiscover.The discovery process should take several seconds. The system confirms when the SSLO device has been discovered.You cannot discover the SSL Orchestrator service from multiple BIG-IP devices at once. This service must be discovered from one BIG-IP device at a time.
- Wait fifteen minutes to discover another SSL Orchestrator service from a different BIG-IP device. This will allow the system enough time to auto-refresh.
Once you have finished discovering an SSL Orchestration configuration, you are ready to import the SSL Orchestrator configuration into BIG-IQ.
Import SSL Orchestrator configuration into BIG-IQ
Before importing an SSL Orchestrator (SSLO) configuration from a BIG-IP device to manage SSLO configurations on BIG-IQ, you must first discover the BIG-IP service.
To begin managing BIG-IP SSLO configurations from BIG-IQ, you must discover the SSLO service and import its configuration. You can re-discover services at any time, but importing this service is a one-time process.
Unlike other services that can be managed from BIG-IQ, SSLO uses a one-time import process. Because you cannot re-import an SSLO configuration, after you complete the initial SSLO discovery and import, do not perform any SSLO configuration changes locally (on the BIG-IP). Instead, you can avoid configuration inconsistencies between the BIG-IP device and BIG-IQ by making all changes on the BIG-IQ.
- On BIG-IQ, at the top, clickDevices.
- On the left, clickBIG-IP DEVICES.The screen displays the list of managed devices for this BIG-IQ Centralized Management system.
- Under Device Name, click the hostname of the BIG-IP device that contains the SSLO configuration you want to import.
- SelectSERVICES.
- To import an SSLO device configuration into BIG-IQ, scroll down to SSL Orchestrator and selectImport.After you clickImport, the system opens a popup screen. On this screen, you review and update the settings for the SSLO service on the device. Then, you deploy those settings back to the BIG-IP device before importing the service to BIG-IQ.
- ForLocation, identify where the devices are physically located.
- To add this service to an existing location, clickUse Existing, and select the location to which you want BIG-IQ to add this device.
- To specify a new location, clickCreate New, and then type a name for the new location.
- Scan the rest of the settings and revise as needed.If SSLO has been configured on the BIG-IP device, BIG-IQ displays the current settings from the device. Otherwise, all other required fields are set to their defaults. In either case, you have the option to revise these settings here.
- ClickDeploy.BIG-IQ deploys the configuration you specified to the BIG-IP device, and then displays anImportbutton.
- ClickImport.BIG-IQ imports the SSLO configuration from the BIG-IP device.
Once you import an SSLO configuration, you should perform all SSLO configuration management from BIG-IQ. When you have changes to make, you can revise the configuration of all SSLO devices using one deployment.